vendor:
eFiction
by:
Unknown
7.5
CVSS
HIGH
SQL Injection, Remote File Upload, Cross Site Scripting (XSS)
89, 434, 79
CWE
Product Name: eFiction
Affected Version From: 1
Affected Version To: 2
Patch Exists: Unknown
Related CWE: Unknown
CPE: a:efiction:efiction
Platforms Tested: Unknown
Unknown
eFiction SQL Injection, Remote File Upload, and XSS Vulnerabilities
eFiction is vulnerable to SQL injection, remote file upload, and cross site scripting vulnerabilities. These vulnerabilities allow an attacker to view and modify sensitive information, gain unauthorized access, modify and corrupt the underlying database application, and obtain a victim's authentication credentials. An example of the SQL injection exploit is the 'UNION SELECT' statement in the 'viewuser.php' page.
Mitigation:
To mitigate these vulnerabilities, it is recommended to sanitize user input to prevent SQL injection attacks, validate and restrict file uploads, and implement proper input validation and output encoding to prevent XSS attacks.