eFiction SQL Injection, Remote File Upload, and Cross Site Scripting Vulnerabilities

vendor:

eFiction

by:

Unknown

7.5

CVSS

HIGH

SQL injection, remote file upload, cross site scripting

CWE

Product Name: eFiction

Affected Version From: 1

Affected Version To: 2

Patch Exists: No

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

eFiction SQL Injection, Remote File Upload, and Cross Site Scripting Vulnerabilities

The vulnerabilities in eFiction allow an attacker to view and modify sensitive information, gain unauthorized access, modify and corrupt the underlying database application, and obtain a victim's authentication credentials. An example exploit URL is provided.

Mitigation:

Unknown

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/15568/info
 
eFiction is prone to SQL injection, remote file upload, and cross site scripting vulnerabilities.
 
These vulnerabilities may allow an attacker to view and modify sensitive information, gain unauthorized access, modify and corrupt the underlying database application, and obtain a victim's authentication credentials.
 
eFiction versions 1.0, 1.1 and 2.0 are reported to be vulnerable; other versions may also be affected. 

http://www.example.com/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,'<script>alert(document.cookie)</script>'
,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/*