Published: 01/04/2014 Updated: 31/12/2016

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 760

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote malicious users to execute arbitrary SQL commands via the (1) answer_id or (2) question_id parameter to polls/vote.php, (3) story_id parameter to comments/add.php or (4) comments/edit.php, or (5) thread_id parameter to posts/add.php. NOTE: this issue was SPLIT due to differences in researchers and disclosure dates. CVE-2013-7349 already covers the news_id parameter to news/send.php, user_email parameter to users/register.php, and thread_id to posts/edit.php vectors.

Vulnerable Product	Search on Vulmon	Subscribe to Product
raoul proenca gnew 2013.1

Gnew version 20131 suffers from file inclusion and remote SQL injection vulnerabilities ...

Gnew v20131 Multiple XSS And SQL Injection Vulnerabilities Vendor: Raoul Proença Product web page: wwwgnewfr Affected version: 20131 Summary: Gnew is a simple Content Management System written with PHP language and using a database server (MySQL, PostgreSQL or SQLite) for storage Desc: Input passed via several parameters is not pr ...

Advisory ID: HTB23171 Product: Gnew Vendor: Raoul ProenÃ§a Vulnerable Version(s): 20131 and probably prior Tested Version: 20131 Advisory Publication: August 28, 2013 [without technical details] Vendor Notification: August 28, 2013 Public Disclosure: October 2, 2013 Vulnerability Type: PHP File Inclusion [CWE-98], SQL Injection [CWE-89] CVE Ref ...

CWE-89 http://www.exploit-db.com/exploits/28684 http://packetstormsecurity.com/files/123482 https://www.htbridge.com/advisory/HTB23171 http://www.securityfocus.com/bid/62817 https://nvd.nist.gov https://packetstormsecurity.com/files/123482/Gnew-2013.1-PHP-File-Inclusion-SQL-Injection.html https://www.exploit-db.com/exploits/27522/

CVE-2013-5640

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect