CVE-2007-6472

Multiple SQL injection vulnerabilities in phpMyRealty (PMR) 1.0.9 allow (1) remote attackers to execute arbitrary SQL commands via the type parameter to search.php and (2) remote authenticated administrators to execute arbitrary SQL commands via the listing_updated_days parameter to admin/findlistings.php. NOTE: some of these details are obtained from third party information.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/28155	Vendor Advisory
http://www.osvdb.org/39267
http://www.securityfocus.com/bid/26932
https://exchange.xforce.ibmcloud.com/vulnerabilities/39121
https://exchange.xforce.ibmcloud.com/vulnerabilities/39122
https://www.exploit-db.com/exploits/4750

Configurations

Configuration 1 (hide)

cpe:2.3:a:phpmyrealty:phpmyrealty:1.0.9:*:*:*:*:*:*:*

History

No history.

Information

Published : 2007-12-20 20:46

Updated : 2024-02-28 11:01

NVD link : CVE-2007-6472

Mitre link : CVE-2007-6472

CVE.ORG link : CVE-2007-6472

JSON object : View

Products Affected

phpmyrealty

phpmyrealty

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2007-6472", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2007-12-20T20:46:00.000", "references": [{"url": "http://secunia.com/advisories/28155", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.osvdb.org/39267", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/26932", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39121", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39122", "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/4750", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in phpMyRealty (PMR) 1.0.9 allow (1) remote attackers to execute arbitrary SQL commands via the type parameter to search.php and (2) remote authenticated administrators to execute arbitrary SQL commands via the listing_updated_days parameter to admin/findlistings.php. NOTE: some of these details are obtained from third party information."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en phpMyRealty (PMR) 1.0.9 permiten (1) a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro type de search.php y (2) a administradores autenticados ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro listing_updated_days de admin/findlistings.php. NOTA: algunos de estos detalles se han obtenido de informaci\u00f3n de terceros."}], "lastModified": "2017-09-29T01:29:57.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:phpmyrealty:phpmyrealty:1.0.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E64496F-BB97-44DC-B9A3-46EBAD7D10D6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}