Bo-Blog Cross-Site Scripting and SQL Injection Vulnerabilities

vendor:

Bo-Blog

by:

SecurityFocus

7,5

CVSS

HIGH

Cross-Site Scripting and SQL Injection

79, 89

CWE

Product Name: Bo-Blog

Affected Version From: 2.1.1

Affected Version To: 2.1.1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2013

Bo-Blog Cross-Site Scripting and SQL Injection Vulnerabilities

Bo-Blog is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input. Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to execute unintended commands or modify data.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/61880/info

Bo-Blog is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.

Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.

Bo-Blog 2.1.1 is vulnerable; other versions may also be affected. 

http://www.example.com//view.php?go=userlist&ordered=1%27 [SQLi]

http://www.example.com/view.php?go=userlist&ordered=1&usergroup=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E [XSS]

http://www.example.com//view.php?go=userlist&ordered=1&usergroup="/><script>alert(1);</script> [XSS]