vendor:
PKs Movie Database
by:
HouSSaMix From H-T Team
7.5
CVSS
HIGH
Remote SQL Injection Vulnerability and XSS
89, 79
CWE
Product Name: PKs Movie Database
Affected Version From: 3.0.3
Affected Version To: 3.0.3
Patch Exists: YES
Related CWE: N/A
CPE: a:pks_movie_database:pks_movie_database:3.0.3
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
PKs Movie Database version 3.0.3
The vulnerability exists due to insufficient sanitization of user-supplied input in the 'num' and 'category' parameters of 'index.php' script. A remote attacker can execute arbitrary SQL commands in application's database, inject arbitrary HTML and script code, steal cookie-based authentication credentials and launch other attacks.
Mitigation:
Input validation should be used to prevent SQL injection attacks. Refrain from using dynamic SQL queries and use parameterized queries instead. Use a whitelist of accepted inputs to prevent XSS attacks.
