CVE-2009-2366

SQL injection vulnerability in login.asp in DataCheck Solutions ForumPal FE 1.1 and ForumPal 1.5 allows remote attackers to execute arbitrary SQL commands via the (1) password parameter in 1.1 and (2) p_password parameter in 1.5. NOTE: some of these details are obtained from third party information.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/35589	Vendor Advisory
http://secunia.com/advisories/35603	Vendor Advisory
http://www.exploit-db.com/exploits/9024
http://www.osvdb.org/55496	Exploit
http://www.osvdb.org/55497	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/51403

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:datachecknh:forumpal:1.5:::::::*
	cpe:2.3:a:datachecknh:forumpal_fe:1.1:::::::*

History

No history.

Information

Published : 2009-07-08 15:30

Updated : 2024-02-04 17:33

NVD link : CVE-2009-2366

Mitre link : CVE-2009-2366

CVE.ORG link : CVE-2009-2366

JSON object : View

Products Affected

datachecknh

forumpal_fe
forumpal

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2009-2366", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-07-08T15:30:01.343", "references": [{"url": "http://secunia.com/advisories/35589", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/35603", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.exploit-db.com/exploits/9024", "source": "cve@mitre.org"}, {"url": "http://www.osvdb.org/55496", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.osvdb.org/55497", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51403", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in login.asp in DataCheck Solutions ForumPal FE 1.1 and ForumPal 1.5 allows remote attackers to execute arbitrary SQL commands via the (1) password parameter in 1.1 and (2) p_password parameter in 1.5. NOTE: some of these details are obtained from third party information."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en login.asp en DataCheck Solutions ForumPal FE v1.1 y ForumPal v.1.5 permite a atacantes remotos ejecutar comandos SQL a su elecci\u00f3n a trav\u00e9s de (1) par\u00e1metro password en v1.1 y (2) par\u00e1metro p_password en v.1.5. NOTA: algunos de estos detalles se han obtenido exclusivamente de informaci\u00f3n de terceros."}], "lastModified": "2017-09-19T01:29:04.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:datachecknh:forumpal:1.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "902F1AA0-8056-4A42-8730-A7C1B0076698"}, {"criteria": "cpe:2.3:a:datachecknh:forumpal_fe:1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2170FD4B-44CB-4EB3-A610-F37B2A98CDFC"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}