Description

Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php; the (16) site parameter to addressbook/register/linktick.php; the (17) password parameter to addressbook/register/reset_password.php; the (18) password_hint parameter to addressbook/register/reset_password_save.php; the (19) var parameter to addressbook/register/traffic.php; or a (20) BasicLogin cookie to addressbook/register/router.php.

Remediation

References

CVE-2013-0135

Related Vulnerabilities

OpenSSL Possible denial of service attack Vulnerability (CVE-2020-1971)

WordPress Plugin Cimy User Extra Fields Denial of Service (2.6.3)

Moodle Other Vulnerability (CVE-2005-3648)

WordPress Plugin Crayon Syntax Highlighter 'wp_load' Parameter Remote File Include (1.12.1)

WordPress Plugin Popup Modal For Youtube Cross-Site Scripting (1.0.1)

Severity

High

Classification

CVE-2013-0135 CWE-138

Tags

Missing Update Known Vulnerabilities