CVE-2009-3665
published 2009-10-11CVE-2009-3665: Multiple SQL injection vulnerabilities in index.php in Nullam Blog 0.1.2 allow remote attackers to execute arbitrary SQL commands via the (1) i parameter or…
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.08%
79.2th percentile
Multiple SQL injection vulnerabilities in index.php in Nullam Blog 0.1.2 allow remote attackers to execute arbitrary SQL commands via the (1) i parameter or (2) v parameters in a register action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nullam | nullam_blog | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin WP-Cumulus 1.20 - Full Path Disclosure / Cross-Site Scripting
exploitdb·2009-11-25
CVE-2009-4170 WordPress Plugin WP-Cumulus 1.20 - Full Path Disclosure / Cross-Site Scripting
WordPress Plugin WP-Cumulus 1.20 - Full Path Disclosure / Cross-Site Scripting
---
I want to warn you about security vulnerabilities in plugin WP-Cumulus for
WordPress.
These are Full path disclosure and Cross-Site Scripting vulnerabilities.
Full path disclosure:
http://server/wp-content/plugins/wp-cumulus/wp-cumulus.php
XSS:
http://server/wp-content/plugins/wp-cumulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
Code will execute after click. It's strictly social XSS.
Vulnerable are WP-Cumulus 1.20 and previous versions.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/3665/).
P.S.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
Exploit-DB
nullam blog 0.1.2 - Local File Inclusion / File Disclosure / SQL Injection / Cross-Site Scripting
exploitdb·2009-09-10
CVE-2009-3666 nullam blog 0.1.2 - Local File Inclusion / File Disclosure / SQL Injection / Cross-Site Scripting
nullam blog 0.1.2 - Local File Inclusion / File Disclosure / SQL Injection / Cross-Site Scripting
---
--
Salvatore Fresta aka drosophila
CWNP444351
******** Salvatore "drosophila" Fresta ********
[+] Application: Nullam Blog
[+] Version: 0.1.2
[+] Website: http://nullam.net/
[+] Bugs: [A] Local File Inclusion
[B] File Disclosure
[C] Multiple Blind SQL Injection
[D] SQL Injection
[E] Reflected XSS
[+] Exploitation: Remote
[+] Date: 10 Sep 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
[+] Menu
1) Bugs
2) Code
3) Fix
[+] Bugs
The following flaws are tested on version 0.1.2.
Other versions may also be affected.
- [A] Local File Inclusion
[-] Risk: high
[-] File affected: index.php
This
No writeups or analysis indexed.
http://secunia.com/advisories/36648http://www.exploit-db.com/exploits/9625http://www.osvdb.org/57920http://www.securityfocus.com/archive/1/506380/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/53218http://secunia.com/advisories/36648http://www.exploit-db.com/exploits/9625http://www.osvdb.org/57920http://www.securityfocus.com/archive/1/506380/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/53218
2009-10-11
Published