Classified Ultra SQL-injection and Cross-site Scripting Vulnerabilities

vendor:

Classified Ultra

by:

SecurityFocus

4,3

CVSS

MEDIUM

SQL-injection and Cross-site Scripting

89, 79

CWE

Product Name: Classified Ultra

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

Classified Ultra SQL-injection and Cross-site Scripting Vulnerabilities

Classified Ultra is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. An attacker can exploit the SQL-injection vulnerability by sending a specially crafted HTTP request to the vulnerable application, such as http://www.example.com/demos/classifiedultra/subclass.php?c=16'[SQLi HERE]. An attacker can exploit the cross-site scripting vulnerability by sending a specially crafted HTTP request to the vulnerable application, such as http://www.example.com/demos/classifiedultra/subclass.php?c=6&cname=Credit%20Cards[XSS HERE].

Mitigation:

Input validation should be used to ensure that untrusted data is not used to modify the intended SQL query. Input validation should also be used to ensure that untrusted data is not used to modify the intended HTML output. Additionally, the application should use an appropriate API to access the underlying database.

Source

Classified Ultra SQL-injection and Cross-site Scripting Vulnerabilities

Mitigation:

Exploit-DB raw data: