ASP-Dev XM Event Diary Multiple Vulnerabilities

Published: 2009-01-30 13:33:42
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact:
Successful exploitation will let the attacker execute arbitrary codes in the in the context of the web application or can execute sql injection attack to gain sensitive information about the database engine and table structures.

Affected Versions:
ASP-Dev XM Event Diary Multiple Vulnerabilities

Recommendations:
No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

Summary:
The host is running ASP-Dev XM Events Diary and prone to multiple vulnerabilities.

Technical Details:
- Input passed to the 'cat' parameter in 'default.asp' and 'diary_viewC.asp' are not properly sanitised before being used in SQL queries. - Insufficient access control to the database file 'diary.mdb' which is being used for Events Diary web application.

Detection Type:
Remote Vulnerability

Solution Type:
Vendor will not fix

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2008-5923
https://nvd.nist.gov/vuln/detail/CVE-2008-5924
https://nvd.nist.gov/vuln/detail/CVE-2008-5925

SecurityFocus Bugtraq ID:

https://www.securityfocus.com/bid/32809

References:

http://secunia.com/advisories/33152

Search
Severity
High
CVSS Score
7.5

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.