vendor:
PHP-Fusion
by:
Ma3sTr0-Dz
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: PHP-Fusion
Affected Version From: 4.01
Affected Version To: 4.01
Patch Exists: NO
Related CWE: N/A
CPE: a:php-fusion:php-fusion:4.01
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: None
2010
PHP-Fusion v4.01 SQL INJECTION Vulnerabilities
A SQL injection vulnerability exists in PHP-Fusion v4.01. An attacker can exploit this vulnerability to gain access to sensitive information stored in the database. The vulnerability is due to insufficient sanitization of user-supplied input in the 'news_id' parameter of the 'readmore.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable script. This can allow the attacker to gain access to sensitive information stored in the database.
Mitigation:
Input validation should be used to ensure that user-supplied input is properly sanitized. Additionally, the application should be configured to use the least privileged user account with the least amount of privileges necessary to perform its functions.
