header-logo
Suggest Exploit
vendor:
phProfession
by:
7.5
CVSS
HIGH
Path disclosure, cross-site scripting, SQL injection
CWE
Product Name: phProfession
Affected Version From: 2.5
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Multiple vulnerabilities in phProfession module for PostNuke

Multiple vulnerabilities were reported in phProfession module for PostNuke. These vulnerabilities include path disclosure, cross-site scripting, and SQL injection. Exploitation of these vulnerabilities can lead to sensitive information disclosure, account hijacking, content manipulation, and attacks against the underlying database.

Mitigation:

Upgrade to a patched version of phProfession module.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10190/info

Multiple vulnerabilities were reported to exist in phProfession, which is a third-party module for PostNuke. Path disclosure, cross-site scripting and SQL injection vulnerabilities were reported. 

Exploitation of these issues may reveal sensitive information, allow for account hijacking, content manipulation and attacks against the underlying database.

These issues were reported to exist in phProfession 2.5. Other versions may also be affected.


http://www.example.com/postnuke0726/modules.php?op=modload&name=phprofession&file=index&offset=foobar