header-logo
Suggest Exploit
vendor:
Photopost PHP Pro
by:
Unknown
7.5
CVSS
HIGH
SQL Injection, Cross-Site Scripting, HTML Injection
Unknown
CWE
Product Name: Photopost PHP Pro
Affected Version From: 4.6.2000
Affected Version To: 4.8.2001
Patch Exists: YES
Related CWE: Unknown
CPE: Unknown
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

Multiple SQL Injection, Cross-Site Scripting, and HTML Injection Vulnerabilities in Photopost PHP Pro

The application is prone to multiple vulnerabilities including SQL injection, cross-site scripting, and HTML injection. These vulnerabilities may allow an attacker to execute arbitrary HTML or script code in a user's browser and/or influence SQL query logic to disclose sensitive information and carry out other attacks.

Mitigation:

It is recommended to update to a secure version of Photopost PHP Pro that addresses these vulnerabilities. Additionally, input validation and output encoding should be implemented to prevent SQL injection, cross-site scripting, and HTML injection attacks.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9994/info

Multiple SQL injection, cross-site scripting and HTML injection vulnerabilities have been identified in the application, which may allow an attacker to execute arbitrary HTML or script code in a user's browser and/or influence SQL query logic to disclose sensitive information and carry out other attacks. 

Photopost PHP Pro 4.6.0 and prior may be prone to these issues. Photopost PHP Pro 4.8.1 is reported vulnerable to these issues as well.

http://www.example.com/showgallery.php?ppuser=-2'%20UNION%20SELECT%200,email,
0,0,0,0,0,0%20FROM%20user%20WHERE%20userid='1&cat=500