| Vulnerability Name: | CCN-8481 | ||||||
| Published: | 2002-03-17 | ||||||
| Updated: | 2002-03-17 | ||||||
| Summary: | PHP-Nuke is vulnerable to account hijacking, caused by an insecure SQL call in the getusrinfo() function. A remote attacker with a valid account could alter the username in the SQL query when changing certain user information, which would cause the query to return another user's data. An attacker could use this vulnerability to gain access to any other user's account. | ||||||
| CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||
| CVSS v2 Severity: | 7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||
| Vulnerability Consequences: | Gain Access | ||||||
| References: | Source: CCN Type: BugTraq Mailing List, Sun Mar 17 2002 - 09:56:57 CST PHP-Nuke & Post-Nuke account hijacking. Source: CCN Type: BugTraq Mailing List, Mon Mar 18 2002 - 12:11:32 CST RE: PHP-Nuke & Post-Nuke account hijacking. Source: CCN Type: PHP-Nuke Web site PHP-Nuke Source: CCN Type: PostNuke Web site PostNuke.com :: Rogue Content Management Source: CCN Type: BID-4302 PHP Nuke Account Compromise Vulnerability Source: XF Type: UNKNOWN phpnuke-postnuke-account-hijacking(8481) | ||||||
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||
| BACK | |||||||