vendor:
NetRisk
by:
StAkeR aka athos
8.8
CVSS
HIGH
Cross Site Scripting, Remote SQL Injection, Remote Blind SQL Injection
79, 89, 89
CWE
Product Name: NetRisk
Affected Version From: 2
Affected Version To: 2
Patch Exists: NO
Related CWE: N/A
CPE: a:netrisk:netrisk
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
NetRisk <= 2.0 (XSS/SQL Injection) Remote Vulnerabilities
NetRisk version 2.0 and prior are vulnerable to Cross Site Scripting, Remote SQL Injection and Remote Blind SQL Injection. An attacker can inject malicious JavaScript code into the 'error' parameter of the 'index.php' page. An attacker can also inject malicious SQL code into the 'p' and 'id' parameters of the 'index.php' page. An attacker can also inject malicious SQL code into the 'p' and 'id' parameters of the 'index.php' page to perform a blind SQL injection attack.
Mitigation:
Input validation should be used to prevent Cross Site Scripting and SQL Injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries. It is also recommended to use parameterized queries to prevent SQL Injection attacks.
