CVE-2008-4356

CVSS V2 High 7.5 CVSS V3 None

Description

Multiple SQL injection vulnerabilities in Kasseler CMS 1.1.0 and 1.2.0 allow remote attackers to execute arbitrary SQL commands via (1) the nid parameter to index.php in a View action to the News module; (2) the vid parameter to index.php in a Result action to the Voting module; (3) the fid parameter to index.php in a ShowForum action to the Forum module; (4) the tid parameter to index.php in a ShowTopic action to the Forum module; (5) the uname parameter to index.php in a UserInfo action to the Account module; or (6) the module parameter to index.php, probably related to the TopSites module.

Overview

CVE ID
CVE-2008-4356

Assigner
cve@mitre.org

Vulnerability Status
Modified

Published Version
2008-09-30T18:15:08

Last Modified Date
2017-09-29T01:32:07

Weakness Enumerations

CWE	URL
CWE-89	http://cwe.mitre.org/data/definitions/89.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:kasseler-cms:kasseler_cms:1.1.0:::::::*	1	OR
cpe:2.3:a:kasseler-cms:kasseler_cms:1.2.0:lite::::::	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector
NETWORK

Access Compatibility
LOW

Authentication
NONE

Confidentiality Impact
PARTIAL

Integrity Impact
PARTIAL

Availability Impact
PARTIAL

Base Score
7.5

Severity
HIGH

Exploitability Score
10

Impact Score
6.4

References

Reference URL	Reference Tags
http://www.securityfocus.com/bid/31170	Exploit
http://secunia.com/advisories/31862
https://exchange.xforce.ibmcloud.com/vulnerabilities/45120
https://www.exploit-db.com/exploits/6460

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2008-4356
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4356

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 08:23:17				Added to TrackCVE