{"enchantments": {"score": {"vector": "NONE", "value": 7.5}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3494"]}, {"type": "osvdb", "idList": ["OSVDB:26985", "OSVDB:26990", "OSVDB:26993", "OSVDB:26981", "OSVDB:26984", "OSVDB:26983", "OSVDB:26980", "OSVDB:26982"]}], "modified": "2017-04-28T13:20:23"}, "vulnersScore": 7.5}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Buddy Zone", "operator": "eq", "version": "1.0.1"}], "references": [], "href": "https://vulners.com/osvdb/OSVDB:26979", "id": "OSVDB:26979", "title": "Buddy Zone view_sub_forum.php main_cat Variable SQL Injection", "history": [], "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "lastseen": "2017-04-28T13:20:23", "edition": 1, "hash": "845e4db08871b85571cd2a85b9878b84c963a9c4cef1644bac7376ef17df3490", "objectVersion": "1.2", "reporter": "luny(luny@youfucktard.com)", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_sub_forum.php script not properly sanitizing user-supplied input to the 'main_cat' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_sub_forum.php script not properly sanitizing user-supplied input to the 'main_cat' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/view_sub_forum.php?main_cat='\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "viewCount": 0, "published": "2006-06-30T09:33:59", "cvelist": ["CVE-2006-3494"], "hashmap": [{"key": "affectedSoftware", "hash": "2c45006ef0058b16213dcc98b36e5084"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "65511afc49ef5e5d9d7b78114669b243"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "description", "hash": "ffef896b08d1b6a043927f454dcdf0c5"}, {"key": "href", "hash": "ec8da45774aeb13f6a716b47aed3564f"}, {"key": "modified", "hash": "c55d57caa3f08e81e44aea0de0c01df0"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "c55d57caa3f08e81e44aea0de0c01df0"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "1ecbff27b0062287be6ddd5f3644abbb"}, {"key": "title", "hash": "c0345161c5cd5bdc0346c993cc54a5d9"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}]}

{"cve": [{"lastseen": "2018-10-19T11:35:59", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Buddy Zone 1.0.1 allow remote attackers to inject arbitrary HTML and web script via the (1) cat_id parameter to (a) view_classifieds.php; (2) id parameter in (b) view_ad.php; (3) event_id parameter in (c) view_event.php, (d) delete_event.php, and (e) edit_event.php; and (4) group_id in (f) view_group.php.", "modified": "2018-10-18T12:47:45", "published": "2006-07-10T18:05:00", "id": "CVE-2006-3494", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3494", "title": "CVE-2006-3494", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_group.php script not properly sanitizing user-supplied input to the 'group_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_group.php script not properly sanitizing user-supplied input to the 'group_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/view_group.php?group_id='\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26985", "id": "OSVDB:26985", "title": "Buddy Zone view_group.php group_id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_ad.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_ad.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/view_ad.php?id=4'\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26981", "id": "OSVDB:26981", "title": "Buddy Zone view_ad.php id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the edit_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the edit_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/edit_event.php?event_id='\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26984", "id": "OSVDB:26984", "title": "Buddy Zone edit_event.php event_id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the view_event.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.1 (2006-07-15) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the July 15, 2006 release without a change in version number. An upgrade is required as there are no known workarounds.\n## Short Description\nBuddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the view_event.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26991](https://vulners.com/osvdb/OSVDB:26991)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26988](https://vulners.com/osvdb/OSVDB:26988)\n[Related OSVDB ID: 26989](https://vulners.com/osvdb/OSVDB:26989)\n[Related OSVDB ID: 26993](https://vulners.com/osvdb/OSVDB:26993)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26992](https://vulners.com/osvdb/OSVDB:26992)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0245.html\nISS X-Force ID: 27512\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\nBugtraq ID: 18759\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26990", "id": "OSVDB:26990", "title": "Buddy Zone view_event.php XSS", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the view_group.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.1 (2006-07-15) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the July 15, 2006 release without a change in version number. An upgrade is required as there are no known workarounds.\n## Short Description\nBuddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the view_group.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26990](https://vulners.com/osvdb/OSVDB:26990)\n[Related OSVDB ID: 26991](https://vulners.com/osvdb/OSVDB:26991)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26988](https://vulners.com/osvdb/OSVDB:26988)\n[Related OSVDB ID: 26989](https://vulners.com/osvdb/OSVDB:26989)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26992](https://vulners.com/osvdb/OSVDB:26992)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0245.html\nISS X-Force ID: 27512\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\nBugtraq ID: 18759\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26993", "id": "OSVDB:26993", "title": "Buddy Zone view_group.php XSS", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_classifieds.php script not properly sanitizing user-supplied input to the 'cat_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_classifieds.php script not properly sanitizing user-supplied input to the 'cat_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/view_classifieds.php?cat_id=8'\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26980", "id": "OSVDB:26980", "title": "Buddy Zone view_classifieds.php cat_id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the delete_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the delete_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/delete_event.php?event_id='\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26982](https://vulners.com/osvdb/OSVDB:26982)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26983", "id": "OSVDB:26983", "title": "Buddy Zone delete_event.php event_id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBuddy Zone contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_event.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n\nAdditionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Manual Testing Notes\nhttp://[target]/view_event.php?event_id=8'\n## References:\nVendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html\n[Secunia Advisory ID:20933](https://secuniaresearch.flexerasoftware.com/advisories/20933/)\n[Related OSVDB ID: 26981](https://vulners.com/osvdb/OSVDB:26981)\n[Related OSVDB ID: 26983](https://vulners.com/osvdb/OSVDB:26983)\n[Related OSVDB ID: 26986](https://vulners.com/osvdb/OSVDB:26986)\n[Related OSVDB ID: 26979](https://vulners.com/osvdb/OSVDB:26979)\n[Related OSVDB ID: 26985](https://vulners.com/osvdb/OSVDB:26985)\n[Related OSVDB ID: 26980](https://vulners.com/osvdb/OSVDB:26980)\n[Related OSVDB ID: 26984](https://vulners.com/osvdb/OSVDB:26984)\n[Related OSVDB ID: 26987](https://vulners.com/osvdb/OSVDB:26987)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html\nISS X-Force ID: 27514\nISS X-Force ID: 27515\nFrSIRT Advisory: ADV-2006-2645\n[CVE-2006-3494](https://vulners.com/cve/CVE-2006-3494)\n", "modified": "2006-06-30T09:33:59", "published": "2006-06-30T09:33:59", "href": "https://vulners.com/osvdb/OSVDB:26982", "id": "OSVDB:26982", "title": "Buddy Zone view_event.php event_id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}