CVE-2009-4936

Multiple SQL injection vulnerabilities in Small Pirate (SPirate) 2.1 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to the default URI in an rss .xml action, or the id parameter to (2) pag1.php, (3) pag1-guest.php, (4) rss-comment_post.php (aka rss-coment_post.php), or (5) rss-pic-comment.php.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://osvdb.org/54784
http://osvdb.org/54785	Exploit
http://osvdb.org/54786	Exploit
http://secunia.com/advisories/35272	Vendor Advisory
http://osvdb.org/54788	Exploit
http://osvdb.org/54787	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/50837
http://www.exploit-db.com/exploits/8819
http://www.securityfocus.com/archive/1/503863/100/0/threaded

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:spirate:small_pirate:2.1:*:*:*:*:*:*:*

Information

Published : 2010-07-21 22:40

Updated : 2018-10-10 12:49

NVD link : CVE-2009-4936

Mitre link : CVE-2009-4936

JSON object : View

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Advertisement

Products Affected

spirate

small_pirate

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://osvdb.org/54784", "name": "54784", "tags": [], "refsource": "OSVDB"}, {"url": "http://osvdb.org/54785", "name": "54785", "tags": ["Exploit"], "refsource": "OSVDB"}, {"url": "http://osvdb.org/54786", "name": "54786", "tags": ["Exploit"], "refsource": "OSVDB"}, {"url": "http://secunia.com/advisories/35272", "name": "35272", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://osvdb.org/54788", "name": "54788", "tags": ["Exploit"], "refsource": "OSVDB"}, {"url": "http://osvdb.org/54787", "name": "54787", "tags": ["Exploit"], "refsource": "OSVDB"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50837", "name": "small-pirate-id-sql-injection(50837)", "tags": [], "refsource": "XF"}, {"url": "http://www.exploit-db.com/exploits/8819", "name": "8819", "tags": [], "refsource": "EXPLOIT-DB"}, {"url": "http://www.securityfocus.com/archive/1/503863/100/0/threaded", "name": "20090528 MULTIPLE REMOTE VULNERABILITIES --Small Pirates v-2.1-->", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in Small Pirate (SPirate) 2.1 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to the default URI in an rss .xml action, or the id parameter to (2) pag1.php, (3) pag1-guest.php, (4) rss-comment_post.php (aka rss-coment_post.php), or (5) rss-pic-comment.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-89"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2009-4936", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2010-07-22T05:40Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:spirate:small_pirate:2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-10T19:49Z"}