header-logo
Suggest Exploit
vendor:
phProfession
by:
Unknown
7.5
CVSS
HIGH
Path disclosure, cross-site scripting, SQL injection
200, 79, 89
CWE
Product Name: phProfession
Affected Version From: phProfession 2.5
Affected Version To: Unknown
Patch Exists: NO
Related CWE: Unknown
CPE: a:postnuke:phprofession
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

Multiple vulnerabilities in phProfession

Multiple vulnerabilities were reported to exist in phProfession, which is a third-party module for PostNuke. Path disclosure, cross-site scripting, and SQL injection vulnerabilities were reported. Exploitation of these issues may reveal sensitive information, allow for account hijacking, content manipulation, and attacks against the underlying database.

Mitigation:

Upgrade to a patched version of phProfession.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10190/info
 
Multiple vulnerabilities were reported to exist in phProfession, which is a third-party module for PostNuke. Path disclosure, cross-site scripting and SQL injection vulnerabilities were reported.
 
Exploitation of these issues may reveal sensitive information, allow for account hijacking, content manipulation and attacks against the underlying database.
 
These issues were reported to exist in phProfession 2.5. Other versions may also be affected.

http://www.example.com/postnuke0726/modules/phprofession/upload.php