Details of VAR-200412-0954

ID

VAR-200412-0954

CVE

CVE-2004-1949

TITLE

PostNuke Phoenix Multiple modules SQL Injection vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200412-253

DESCRIPTION

SQL injection vulnerability in PostNuke 7.2.6 and earlier allows remote attackers to execute arbitrary SQL via (1) the sif parameter to index.php in the Comments module or (2) timezoneoffset parameter to changeinfo.php in the Your_Account module. This issue is due to a failure of the application to properly sanitize user supplied URI input. This may allow a remote attacker to manipulate query logic, potentially leading to unauthorized access to sensitive information such as the administrator password hash or corruption of database data. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation

Trust: 1.35

sources: NVD: CVE-2004-1949 // BID: 10146 // IVD: a34490d2-23cc-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.2

sources: IVD: a34490d2-23cc-11e6-abef-000c29c66e3d

AFFECTED PRODUCTS

vendor:	postnuke	model:	postnuke	scope:	eq	version:	0.726	Trust: 1.6
vendor:	postnuke	model:	development team postnuke phoenix	scope:	eq	version:	0.726	Trust: 0.3
vendor:	postnuke	model:	-	scope:	eq	version:	0.726	Trust: 0.2

sources: IVD: a34490d2-23cc-11e6-abef-000c29c66e3d // BID: 10146 // CNNVD: CNNVD-200412-253 // NVD: CVE-2004-1949

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2004-1949
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-200412-253
value:	HIGH
Trust: 0.6
IVD:	a34490d2-23cc-11e6-abef-000c29c66e3d
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2004-1949
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
IVD:	a34490d2-23cc-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: a34490d2-23cc-11e6-abef-000c29c66e3d // CNNVD: CNNVD-200412-253 // NVD: CVE-2004-1949

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2004-1949

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200412-253

TYPE

SQL injection

Trust: 0.8

sources: IVD: a34490d2-23cc-11e6-abef-000c29c66e3d // CNNVD: CNNVD-200412-253

EXTERNAL IDS

db:	BID	id:	10146	Trust: 1.9
db:	NVD	id:	CVE-2004-1949	Trust: 1.8
db:	OSVDB	id:	5368	Trust: 1.6
db:	OSVDB	id:	5369	Trust: 1.6
db:	SECUNIA	id:	11386	Trust: 1.6
db:	SECTRACK	id:	1009801	Trust: 1.6
db:	CNNVD	id:	CNNVD-200412-253	Trust: 0.8
db:	XF	id:	15869	Trust: 0.6
db:	XF	id:	15875	Trust: 0.6
db:	FULLDISC	id:	20040414 [SCAN ASSOCIATES SDN BHD SECURITY ADVISORY] POSTNUKE V 0.726 AND BELOW SQL INJECTION	Trust: 0.6
db:	BUGTRAQ	id:	20040420 [PNSA 2004-2] POSTNUKE SECURITY ADVISORY PNSA 2004-2	Trust: 0.6
db:	IVD	id:	A34490D2-23CC-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: a34490d2-23cc-11e6-abef-000c29c66e3d // BID: 10146 // CNNVD: CNNVD-200412-253 // NVD: CVE-2004-1949

REFERENCES

url:	http://www.securityfocus.com/bid/10146	Trust: 1.6
url:	http://www.osvdb.org/5369	Trust: 1.6
url:	http://www.osvdb.org/5368	Trust: 1.6
url:	http://securitytracker.com/id?1009801	Trust: 1.6
url:	http://secunia.com/advisories/11386	Trust: 1.6
url:	http://news.postnuke.com/article2580.html	Trust: 1.6
url:	http://lists.grok.org.uk/pipermail/full-disclosure/2004-april/020154.html	Trust: 1.6
url:	http://marc.info/?l=bugtraq&m=108256503718978&w=2	Trust: 1.0
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/15869	Trust: 1.0
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/15875	Trust: 1.0
url:	http://xforce.iss.net/xforce/xfdb/15875	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/15869	Trust: 0.6
url:	http://marc.theaimsgroup.com/?l=bugtraq&m=108256503718978&w=2	Trust: 0.6
url:	http://www.postnuke.com	Trust: 0.3

sources: BID: 10146 // CNNVD: CNNVD-200412-253 // NVD: CVE-2004-1949

CREDITS

Disclosure of this issue is credited to pokley <pokleyzz@scan-associates.net>.

Trust: 0.9

sources: BID: 10146 // CNNVD: CNNVD-200412-253

SOURCES

db:	IVD	id:	a34490d2-23cc-11e6-abef-000c29c66e3d
db:	BID	id:	10146
db:	CNNVD	id:	CNNVD-200412-253
db:	NVD	id:	CVE-2004-1949

LAST UPDATE DATE

2024-08-14T13:40:15.828000+00:00

SOURCES UPDATE DATE

db:	BID	id:	10146	date:	2004-04-14T00:00:00
db:	CNNVD	id:	CNNVD-200412-253	date:	2006-04-07T00:00:00
db:	NVD	id:	CVE-2004-1949	date:	2017-07-11T01:31:29.637

SOURCES RELEASE DATE

db:	IVD	id:	a34490d2-23cc-11e6-abef-000c29c66e3d	date:	2004-12-31T00:00:00
db:	BID	id:	10146	date:	2004-04-14T00:00:00
db:	CNNVD	id:	CNNVD-200412-253	date:	2004-12-31T00:00:00
db:	NVD	id:	CVE-2004-1949	date:	2004-12-31T05:00:00