vendor:
phpCOIN
by:
SecurityFocus
7.5
CVSS
HIGH
SQL Injection and Cross-Site Scripting
89, 79
CWE
Product Name: phpCOIN
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2004
Multiple Remote Input-Validation Vulnerabilities in phpCOIN
Multiple remote input-validation vulnerabilities affect phpCOIN because the application fails to properly sanitize user-supplied input before using it to carry out critical functionality. An attacker may leverage these issues to manipulate and view arbitrary database contents (by exploiting various SQL-injection issues) and to run arbitrary script code in the browser of an unsuspecting user (by exploiting multiple cross-site scripting vulnerabilities). Examples of vulnerable URLs include http://www.example.com/phpcoin/mod.php?mod=helpdesk&mode=new and http://www.example.com/phpcoin/mod.php?mod=mail&mode=reset&w=user, which can be exploited by appending malicious JavaScript code to the URL.
Mitigation:
Input validation should be performed to ensure that untrusted data is not used to manipulate or view arbitrary database contents or to run arbitrary script code in the browser of an unsuspecting user.
