PHPFinance 'group.php' SQL Injection And HTML Injection Vulnerabilities Network Vulnerability

Summary

PHPFinance is prone to an SQL-injection vulnerability and an HTML- injection vulnerability because it fails to sufficiently sanitize user- supplied input. An attacker may exploit the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks. The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHPFinance 0.6 is vulnerable other versions may also be affected.

References

http://phpfinance.sourceforge.net/
https://www.securityfocus.com/bid/42230

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Related Vulnerabilities

Apache ActiveMQ 'Cron Jobs' Cross Site Scripting Vulnerability
Adiscon LogAnalyzer 'highlight' Parameter Cross Site Scripting Vulnerability
Advanced Image Hosting Cross Site Scripting Vulnerability
An Image Gallery Directory Traversal Vulnerability
Adobe ColdFusion HTTP Response Splitting Vulnerability

PHPFinance 'group.php' SQL Injection and HTML Injection Vulnerabilities

Take action and discover your vulnerabilities