CVE-2009-4669

Multiple SQL injection vulnerabilities in RoomPHPlanning 1.6 allow remote attackers to execute arbitrary SQL commands via (1) the loginus parameter to Login.php or (2) the Old Password field to changepwd.php, and allow (3) remote authenticated administrators to execute arbitrary SQL commands via the id parameter to admin/userform.php.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/35237	Vendor Advisory
http://www.exploit-db.com/exploits/8797
http://secunia.com/advisories/35237	Vendor Advisory
http://www.exploit-db.com/exploits/8797

Configurations

Configuration 1 (hide)

cpe:2.3:a:beaussier:roomphplanning:1.6:*:*:*:*:*:*:*

History

21 Nov 2024, 01:10

Type	Values Removed	Values Added
References	~~() http://secunia.com/advisories/35237 - Vendor Advisory~~	() http://secunia.com/advisories/35237 - Vendor Advisory
References	~~() http://www.exploit-db.com/exploits/8797 -~~	() http://www.exploit-db.com/exploits/8797 -

Information

Published : 2010-03-05 18:30

Updated : 2024-11-21 01:10

NVD link : CVE-2009-4669

Mitre link : CVE-2009-4669

CVE.ORG link : CVE-2009-4669

JSON object : View

Products Affected

beaussier

roomphplanning

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2009-4669", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2010-03-05T18:30:00.470", "references": [{"url": "http://secunia.com/advisories/35237", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.exploit-db.com/exploits/8797", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/35237", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.exploit-db.com/exploits/8797", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in RoomPHPlanning 1.6 allow remote attackers to execute arbitrary SQL commands via (1) the loginus parameter to Login.php or (2) the Old Password field to changepwd.php, and allow (3) remote authenticated administrators to execute arbitrary SQL commands via the id parameter to admin/userform.php."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en RoomPHPlanning v1.6 permite a atacantes remotos ejecutar comandos SQL de forma arbitraria a trav\u00e9s de (1) el par\u00e1metro \"loginus\" a Login.php o (2) El campo \"antigua contrase\u00f1a\" a changepwd.php, y permite (2) que administradores remotos autenticados ejecutar comandos SQL de forma arbitraria a trav\u00e9s del par\u00e1metro \"id\" a admin/userform.php."}], "lastModified": "2024-11-21T01:10:10.833", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:beaussier:roomphplanning:1.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11FE1C05-65AA-413B-9A3D-37E2DD9A707E"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}