MaxWebPortal < 1.3.5 Multiple SQL Injection

high Nessus Network Monitor Plugin ID 2874

Synopsis

The remote web server contains a script that is vulnerable to a SQL injection attack.

Description

MaxWebPortal is a web portal that utilizes a backend SQL or MySQL database. This version of MaxWebPortal is vulnerable to multiple SQL Injection flaws. An attacker exploiting these flaws would only need to be able to send HTTP queries to the remote application. A successful attack would give the attacker the ability to read and write database data as well as potentially execute arbitrary remote commands on the SQL or MySQL system.

Solution

Upgrade to version 1.3.5 or higher.

Plugin Details

Severity: High

ID: 2874

Family: CGI

Published: 5/2/2005

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:H/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:maxwebportal:maxwebportal

Reference Information

CVE: CVE-2005-1417

BID: 13466