{"type": "osvdb", "published": "2004-07-26T07:05:44", "href": "https://vulners.com/osvdb/OSVDB:8251", "hashmap": [{"key": "affectedSoftware", "hash": "98a0dde58f855edfc33610d66b90ac09"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "36eda2dd9a00f3fec13b0884ef1c3552"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "f3755bc74b11a8e176275b2393e4dcc6"}, {"key": "href", "hash": "f0c820f97d356bf07606eaf0fbcac3cf"}, {"key": "modified", "hash": "9b3cadb84444d65e5d66d063ee3962e2"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "9b3cadb84444d65e5d66d063ee3962e2"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "2eeff8320967aec0d5a58b6687c9a3a8"}, {"key": "title", "hash": "275d9b34ebb048757faf2799a78f0c52"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "viewCount": 1, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "Ferruh Mavituna(ferruh@mavituna.com)", "title": "ASPRunner Multiple Unspecified SQL Injections", "affectedSoftware": [{"operator": "eq", "version": "2.4", "name": "ASPRunner"}], "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2017-04-28T13:20:03"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-2057"]}, {"type": "nessus", "idList": ["ASPRUNNER_MULT.NASL"]}], "modified": "2017-04-28T13:20:03"}, "vulnersScore": 7.3}, "references": [], "id": "OSVDB:8251", "hash": "7b35ce1df48331ba1af3ffc0c99f25bfe745e3e6025228b892b60260393243b3", "lastseen": "2017-04-28T13:20:03", "cvelist": ["CVE-2004-2057"], "modified": "2004-07-26T07:05:44", "description": "## Vulnerability Description\nASPRunner contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that user-supplied input in all pages (except the login pages) are not verified properly and will allow a remote attacker to inject or manipulate SQL queries. No further details have been provided.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nASPRunner contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that user-supplied input in all pages (except the login pages) are not verified properly and will allow a remote attacker to inject or manipulate SQL queries. No further details have been provided.\n## References:\nVendor URL: http://www.xlinesoft.com/asprunner/\nSecurity Tracker: 1010777\n[Secunia Advisory ID:12164](https://secuniaresearch.flexerasoftware.com/advisories/12164/)\n[Related OSVDB ID: 8254](https://vulners.com/osvdb/OSVDB:8254)\n[Related OSVDB ID: 8252](https://vulners.com/osvdb/OSVDB:8252)\n[Related OSVDB ID: 8253](https://vulners.com/osvdb/OSVDB:8253)\nOther Advisory URL: http://ferruh.mavituna.com/article/?574\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0291.html\nISS X-Force ID: 16799\n[CVE-2004-2057](https://vulners.com/cve/CVE-2004-2057)\nBugtraq ID: 10799\n"}

{"cve": [{"lastseen": "2019-05-29T18:08:04", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in ASPRunner 2.4 allows remote attackers to execute arbitrary SQL statements.", "modified": "2017-07-11T01:31:00", "id": "CVE-2004-2057", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2057", "published": "2004-12-31T05:00:00", "title": "CVE-2004-2057", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-12-13T06:40:44", "bulletinFamily": "scanner", "description": "The remote host is running ASPrunner prior to version 2.5. There are\nmultiple flaws in this version of ASPrunner which would enable a\nremote attacker to read and/or modify potentially confidential data.\n\nAn attacker, exploiting this flaw, would need access to the web server\nvia the network.", "modified": "2019-12-02T00:00:00", "id": "ASPRUNNER_MULT.NASL", "href": "https://www.tenable.com/plugins/nessus/14233", "published": "2004-08-09T00:00:00", "title": "ASPrunner 2.4 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14233);\n script_version(\"1.33\");\n script_cvs_date(\"Date: 2018/11/15 20:50:16\");\n\n script_cve_id(\"CVE-2004-2057\", \"CVE-2004-2058\", \"CVE-2004-2059\", \"CVE-2004-2060\");\n script_bugtraq_id(10799);\n\n script_name(english:\"ASPrunner 2.4 Multiple Vulnerabilities\");\n script_summary(english:\"Check for multiple flaws in ASPrunner\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains an ASP script which is vulnerable to a\ncross-site scripting issue.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running ASPrunner prior to version 2.5. There are\nmultiple flaws in this version of ASPrunner which would enable a\nremote attacker to read and/or modify potentially confidential data.\n\nAn attacker, exploiting this flaw, would need access to the web server\nvia the network.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2004/Jul/300\");\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/09\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"http_version.nasl\", \"no404.nasl\", \"cross_site_scripting.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80, embedded: 0);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif (get_kb_item(strcat(\"www/\", port, \"/generic_xss\"))) exit(0);\n\n# there are multiple flaws. We'll check for XSS flaw which will be an indicator\n# of other flaws\n#\n# exploit string from http://www.securityfocus.com/bid/10799/exploit/\ninit = string(\"/export.asp?SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eselect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&mypage=1&pagesize=20\");\n\nr = http_send_recv3(port: port, item: init, method: 'GET');\n\nif (\"<script>alert\" >< r[2])\n{\n \tsecurity_hole(port);\n\tset_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n}\n\n\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}