Описание
The pnVarPrepForStore function in PostNuke 0.764 and earlier skips input sanitization when magic_quotes_runtime is enabled, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via input associated with server variables, as demonstrated by the CLIENT_IP HTTP header (HTTP_CLIENT_IP variable).
Уязвимые конфигурации
Конфигурация 1Версия до 0.764 (включая)
cpe:2.3:a:postnuke:postnuke:*:*:*:*:*:*:*:*
EPSS
Процентиль: 61%
0.00414
Низкий
7.5 High
CVSS2
Дефекты
CWE-89
Связанные уязвимости
github
почти 4 года назад
The pnVarPrepForStore function in PostNuke 0.764 and earlier skips input sanitization when magic_quotes_runtime is enabled, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via input associated with server variables, as demonstrated by the CLIENT_IP HTTP header (HTTP_CLIENT_IP variable).
EPSS
Процентиль: 61%
0.00414
Низкий
7.5 High
CVSS2
Дефекты
CWE-89