CVE-2006-2541

SQL injection vulnerability in settings.asp in Zixforum 1.12 allows remote attackers to execute arbitrary SQL commands via the layid parameter to (1) login.asp and (2) main.asp.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.kapda.ir/advisory-327.html	Exploit Vendor Advisory
http://www.securityfocus.com/bid/18043	Exploit
http://secunia.com/advisories/20190	Vendor Advisory
http://www.osvdb.org/25707
http://securityreason.com/securityalert/946
http://www.vupen.com/english/advisories/2006/1889
https://exchange.xforce.ibmcloud.com/vulnerabilities/26577
https://www.exploit-db.com/exploits/1807
http://www.securityfocus.com/archive/1/434575/100/0/threaded

Configurations

Configuration 1 (hide)

cpe:2.3:a:john_andersson:zixforum:1.12:*:*:*:*:*:*:*

Information

Published : 2006-05-23 10:06

Updated : 2018-10-18 16:40

NVD link : CVE-2006-2541

Mitre link : CVE-2006-2541

JSON object : View

Products Affected

john_andersson

zixforum

CWE

NVD-CWE-Other

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.kapda.ir/advisory-327.html", "name": "http://www.kapda.ir/advisory-327.html", "tags": ["Exploit", "Vendor Advisory"], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/18043", "name": "18043", "tags": ["Exploit"], "refsource": "BID"}, {"url": "http://secunia.com/advisories/20190", "name": "20190", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.osvdb.org/25707", "name": "25707", "tags": [], "refsource": "OSVDB"}, {"url": "http://securityreason.com/securityalert/946", "name": "946", "tags": [], "refsource": "SREASON"}, {"url": "http://www.vupen.com/english/advisories/2006/1889", "name": "ADV-2006-1889", "tags": [], "refsource": "VUPEN"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26577", "name": "zixforum-settings-sql-injection(26577)", "tags": [], "refsource": "XF"}, {"url": "https://www.exploit-db.com/exploits/1807", "name": "1807", "tags": [], "refsource": "EXPLOIT-DB"}, {"url": "http://www.securityfocus.com/archive/1/434575/100/0/threaded", "name": "20060520 Zix Forum <= 1.12 (layid) SQL Injection Vulnerability", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "SQL injection vulnerability in settings.asp in Zixforum 1.12 allows remote attackers to execute arbitrary SQL commands via the layid parameter to (1) login.asp and (2) main.asp."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2006-2541", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}}, "publishedDate": "2006-05-23T10:06Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:john_andersson:zixforum:1.12:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-18T16:40Z"}