Lucene search

[email protected]CVE-2005-4527

HistoryDec 28, 2005 - 1:03 a.m.

CVE-2005-4527

2005-12-2801:03:00

NVD-CWE-Other

[email protected]

web.nvd.nist.gov

cve-2005-4527

sql injection

direct news 4.9

remote code execution

index.php

search module parameters.

9.6 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.1%

JSON

Multiple SQL injection vulnerabilities in Direct News 4.9 allow remote attackers to execute arbitrary SQL commands via (1) the setLang parameter in index.php and (2) unspecified search module parameters.

CPENameOperatorVersion
direct_news:direct_newsdirect newseq4.9

CPE	Name	Operator	Version
direct_news:direct_news	direct news	eq	4.9

References

pridels0.blogspot.com/2005/12/direct-news-sql-inj.html

www.osvdb.org/21854

www.osvdb.org/22340

www.securityfocus.com/bid/15957/

exchange.xforce.ibmcloud.com/vulnerabilities/23727

9.6 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.1%

JSON