Published: 20/05/2015 Updated: 21/05/2015

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 760

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Multiple SQL injection vulnerabilities in the admin panel in osCMax prior to 2.5.1 allow (1) remote malicious users to execute arbitrary SQL commands via the username parameter in a process action to admin/login.php or (2) remote administrators to execute arbitrary SQL commands via the status parameter to admin/stats_monthly_sales.php or (3) country parameter in a process action to admin/create_account_process.php.

Vulnerable Product	Search on Vulmon	Subscribe to Product
oscmax oscmax

osCmax version 250 suffers from cross site scripting and remote SQL injection vulnerabilities ...

source: wwwsecurityfocuscom/bid/52886/info osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials ...

source: wwwsecurityfocuscom/bid/52886/info osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, ...

CWE-89 http://www.osvdb.org/80901 http://archives.neohapsis.com/archives/bugtraq/2012-04/0021.html http://bugtrack.oscmax.com/view.php?id=1165 http://www.osvdb.org/80902 http://www.oscmax.com/blog/michael_s/oscmax_v251_has_been_released_security_update https://www.htbridge.com/advisory/HTB23081 http://www.osvdb.org/80900 https://nvd.nist.gov https://packetstormsecurity.com/files/111559/osCmax-2.5.0-Cross-Site-Scripting-SQL-Injection.html https://www.exploit-db.com/exploits/37048/

CVE-2012-1665

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect