CVE-2013-5640

EPSS 2.4%

Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) answer_id or (2) question_id parameter to polls/vote.php, (3) story_id parameter to comments/add.php or (4) comments/edit.php, or (5) thread_id parameter to posts/add.php. NOTE: this issue was SPLIT due to differences in researchers and disclosure dates. CVE-2013-7349 already covers the news_id parameter to news/send.php, user_email parameter to users/register.php, and thread_id to posts/edit.php vectors.

Affected products

n/a · n/a

public PoCs found — 4

cve_referencepacketstormsecurity.com/files/123482unverified cve_referencewww.exploit-db.com/exploits/28684unverified exploitdbwww.exploit-db.com/exploits/27522unverified exploitdbwww.exploit-db.com/exploits/28684unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/123482 https://www.htbridge.com/advisory/HTB23171 http://www.exploit-db.com/exploits/28684 http://www.securityfocus.com/bid/62817