CVE-2004-2551
CVE-2004-2551
Multiple SQL injection vulnerabilities in Layton HelpBox 3.0.1 allow remote attackers to execute arbitrary SQL commands via (1) the sys_comment_id parameter in editcommentenduser.asp, (2) the sys_suspend_id parameter in editsuspensionuser.asp, (3) the table parameter in export_data.asp, (4) the sys_analgroup parameter in manageanalgrouppreference.asp, (5) the sys_asset_id parameter in quickinfoassetrequests.asp, (6) the sys_eusername parameter in quickinfoenduserrequests.asp, and the sys_request_id parameter in (7) requestauditlog.asp, (8) requestcommentsenduser.asp, (9) selectrequestapplytemplate.asp, and (10) selectrequestlink.asp, resulting in an ability to create a new HelpBox user account and read, modify, or delete data from the backend database.
Affected products
n/a · n/apublic PoCs found — 1
exploitdbwww.exploit-db.com/exploits/24303unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://secunia.com/advisories/12118https://exchange.xforce.ibmcloud.com/vulnerabilities/16772https://exchange.xforce.ibmcloud.com/vulnerabilities/16774http://www.osvdb.org/8170http://www.osvdb.org/8171http://www.osvdb.org/8172http://www.osvdb.org/8173http://www.osvdb.org/8174http://www.osvdb.org/8175http://www.osvdb.org/8176http://www.osvdb.org/8177http://www.osvdb.org/8178