Summary
This host is running PHP inventory and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow remote attackers to include arbitrary HTML or web scripts in the scope of the browser and allows to obtain and manipulate sensitive information.
Impact Level: Application.
Solution
Update to PHP Inventory version 1.3.2 or later.
For updates refer to http://www.phpwares.com/content/php-inventory
Insight
The Multiple flaws due to,
- Input passed via the 'user_id' parameter to 'index.php' and via the 'sup_id' parameter is not properly sanitised before being used in an SQL query.
- Input passed via the 'user' and 'pass' form field to 'index.php' is not properly sanitised before being used in an SQL query.
Affected
PHP Inventory version 1.2 and prior.
References
Severity
Classification
-
CVE CVE-2009-4595, CVE-2009-4596, CVE-2009-4597 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- AstroSPACES profile.php SQL Injection Vulnerability
- Awstats Configuration File Remote Arbitrary Command Execution Vulnerability
- Atutor AContent Multiple SQL Injection and XSS Vulnerabilities
- Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability
- AlefMentor Multiple SQL Injection Vulnerabilities