vendor:
PHPFinance
by:
Unknown
7.5
CVSS
HIGH
SQL Injection, HTML Injection
89
CWE
Product Name: PHPFinance
Affected Version From: 0.6
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:phpfinance:phpfinance:0.6
Platforms Tested:
Unknown
PHPFinance SQL Injection and HTML Injection Vulnerability
PHPFinance is prone to an SQL-injection vulnerability and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may exploit the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks. The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Mitigation:
The vendor has not provided a patch or update at the time of writing this report. It is recommended to sanitize user-supplied input to prevent SQL injection and HTML injection vulnerabilities.
