Summary
This host is installed with Etiko CMS and
prone to multiple vulnerabilities.
Impact
Successful exploitation will allow remote
attackers to inject or manipulate SQL queries in the back-end database allowing for the manipulation or disclosure of arbitrary data, and execute arbitrary HTML and script code in a users browser session in the context of an affected site.
Impact Level: Application
Solution
No solution or patch is available as of
20th February, 2015. Information regarding this issue will be updated once the solution details are available. For updates refer to www.etikweb.com
Insight
Input passed via the 'page_id' GET parameter
to /loja/index.php script and 'article_id' parameter to /index.php script is not validated before returning it to users.
Affected
Etiko CMS version 2.14 and earlier.
Detection
Send a crafted data via HTTP GET request
and check whether it is able to read cookie or not.
References
Severity
Classification
-
CVE CVE-2014-8505, CVE-2014-8506 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- ArticleSetup Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
- Atlassian JIRA FishEye and Crucible Plugins XML Parsing Unspecified Security Vulnerability
- ASP Inline Corporate Calendar SQL injection
- A-Blog 'sources/search.php' SQL Injection Vulnerability
- ASAS Server End User Self Service (EUSS) SQL Injection Vulnerability