vendor:
VLD Personal
by:
Mr T
5.5
CVSS
MEDIUM
XSS Attack, SQL Injection
79, 89
CWE
Product Name: VLD Personal
Affected Version From: 2.7
Affected Version To: 2.7.2001
Patch Exists: YES
Related CWE:
CPE: a:vldpersonals:vld_personal:2.7
Platforms Tested: Windows, Linux
2014
VLD Personal – Multiple Vulnerabilities
The XSS attack vulnerability is caused by copying the value of the id request parameter into an HTML tag attribute without proper sanitization. The SQL injection vulnerability is caused by the country/gender1/gender2 parameter being vulnerable to SQL injection attacks.
Mitigation:
To mitigate the XSS vulnerability, proper input sanitization should be implemented. To mitigate the SQL injection vulnerability, proper parameterized queries should be used.