Lucene search

[email protected]CVE-2005-4486

HistoryDec 22, 2005 - 11:03 a.m.

CVE-2005-4486

2005-12-2211:03:00

NVD-CWE-Other

[email protected]

web.nvd.nist.gov

cve-2005-4486

sql injection

quantum art qp7.enterprise

remote attackers

arbitrary sql commands

9.3 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

55.0%

JSON

SQL injection vulnerability in Quantum Art QP7.Enterprise (formerly Q-Publishing) allows remote attackers to execute arbitrary SQL commands via the p_news_id parameter to (1) news_and_events_new.asp and (2) news.asp. NOTE: on 20060227, the vendor disputed the accuracy of this report, saying that the p_news_id, news_and_events_new.asp, and news.asp are not specifically part of their product, although they could be dynamically generated through use of the product. Some investigation by CVE suggests evidence that the news_and_events_new.asp page has at least a forced invalid SQL syntax error, but this could not be repeated for news.asp

CPENameOperatorVersion
quantum_art:qp7_enterprisequantum art qp7 enterpriseeq*

CPE	Name	Operator	Version
quantum_art:qp7_enterprise	quantum art qp7 enterprise	eq	*

References

pridels0.blogspot.com/2005/12/qp7enterprise-sql-vuln.html

www.osvdb.org/22069

www.osvdb.org/22070

www.securityfocus.com/bid/16022

9.3 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

55.0%

JSON