CVE-2008-2223
published 2008-05-14CVE-2008-2223: SQL injection vulnerability in group_posts.php in vShare YouTube Clone 2.6 allows remote attackers to execute arbitrary SQL commands via the tid parameter.
PriorityP339high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
1.06%
60.3th percentile
SQL injection vulnerability in group_posts.php in vShare YouTube Clone 2.6 allows remote attackers to execute arbitrary SQL commands via the tid parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| buyscripts | vshare_youtube_clone | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
CWE
Improper Input Validation
mitre_cwe
CWE-20 Improper Input Validation
CWE-20: Improper Input Validation
The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
Input validation is a frequently-used technique
for checking potentially dangerous inputs in order to
ensure that the inputs are safe for processing within the
code, or when communicating with other components. Input can consist of: raw data - strings, numbers, parameters, file contents, etc. metadata - information about the raw data, such as headers or size Data can be simple or structured. Structured data
can be composed of many nested layers, composed of
combinations of metadata and raw data, with other simple or
structured data. Many properties of raw data or metadata may n
CWE
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
mitre_cwe
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Implementation
Note: This weakness typically appears in data-rich applications that save user i
CWE
Improper Validation of Specified Type of Input
mitre_cwe·CVSS 8.8
[HIGH] CWE-1287 Improper Validation of Specified Type of Input
CWE-1287: Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
When input does not comply with the expected type, attackers could trigger unexpected errors, cause incorrect actions to take place, or exploit latent vulnerabilities that would not be possible if the input conformed with the expected type. This weakness can appear in type-unsafe programming languages, or in programming languages that support casting or conversion of an input to another type.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Other. Impact: Varies by Context.
Potential Mitigations:
[Implementation] Assume all input is malicio
http://forums.buyscripts.in/viewtopic.php?f=7&t=3389http://secunia.com/advisories/30144http://www.securityfocus.com/bid/29114https://exchange.xforce.ibmcloud.com/vulnerabilities/42285https://www.exploit-db.com/exploits/5565http://forums.buyscripts.in/viewtopic.php?f=7&t=3389http://secunia.com/advisories/30144http://www.securityfocus.com/bid/29114https://exchange.xforce.ibmcloud.com/vulnerabilities/42285https://www.exploit-db.com/exploits/5565
2008-05-14
Published