vendor:
project-alumni
by:
tomplixsee
N/A
CVSS
MEDIUM
sql injection & xss
89
CWE
Product Name: project-alumni
Affected Version From: 1.0.9
Affected Version To: 1.0.8
Patch Exists: NO
Related CWE:
CPE: project-alumni
Platforms Tested:
Unknown
project-alumni sql injection & xss
The project-alumni software version 1.0.9, 1.0.8, or lower is affected by a sql injection vulnerability. The vulnerability exists due to bad filtering in the 'view.page.inc.php' and 'news.page.inc.php' files. An attacker can exploit this vulnerability by injecting malicious SQL queries through the 'year' parameter, which can lead to unauthorized access to the database. Another vulnerability is an xss vulnerability in the '/xml/index.php' file, which can be exploited by injecting malicious scripts through the 'year' parameter.
Mitigation:
To mitigate the sql injection vulnerability, it is recommended to properly filter and sanitize user input before using it in SQL queries. Additionally, enabling magic_quotes_gpc can provide some level of protection. To mitigate the xss vulnerability, it is recommended to properly filter and sanitize user input before displaying it on web pages, and to use output encoding to prevent script injection.