CVE-2007-1021

The CVE-2007-1021 entry concerns CodeAvalanche News 1.x, where a SQL injection flaw in inc_listnews.asp allows remote attackers to execute arbitrary SQL commands via the CAT_ID parameter. The underlying issue is improper handling/validation of CAT_ID, enabling crafted input to affect the database...

CVE-2006-2500

CANews 1.2 is affected by a Cross-Site Scripting (XSS) vulnerability in add_news.asp where the Headline field accepts input that can inject arbitrary script/HTML. The root cause is insufficient input sanitization for that field, enabling remote attackers to execute script in a victim’s browser. T...

CVE-2006-2499

CVE-2006-2499 affects CodeAvalanche News (CANews) 1.2, where a SQL injection in default.asp via the password field allows remote execution of arbitrary SQL. The linked data list a CVSSv2 base score of 7.5 (HIGH) with NETWORK attack vector, LOW access complexity, and no authentication required, yi...