Web application abuses : TemaTres Multiple XSS and SQL Injection Vulnerabilities

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.800801

Category: Web application abuses

Title: TemaTres Multiple XSS and SQL Injection Vulnerabilities

Summary: TemaTres is prone to Multiple XSS and SQL Injection Vulnerabilities.

Description: Summary:
TemaTres is prone to Multiple XSS and SQL Injection Vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to

- In-adequate check of user supplied input which causes input validation error
in the search form.

- Validation check error in accepting user input for the following parameters
a) _expresion_de_busqueda, b) letra c) estado_id and d) tema e) PATH_TO inside index.php.

- Validation check error in accepting user input for the following parameters
a) y b) ord and c) m inside sobre.php.

- Validation check error in accepting user input for the following parameters
a) mail b) password inside index.php.

- Validation check error in accepting user input for the following parameters
a) dcTema b) madsTema c) zthesTema d) skosTema and e) xtmTema inside xml.php.

Vulnerability Impact:
Successful attacks will let the attacker steal cookie-based authentication
credentials, compromise the application, access or modify data, or can exploit
latest vulnerabilities in the underlying database when 'magic_quotes_gpc' is disabled.

Affected Software/OS:
TemaTres version 1.031 and prior.

Solution:
Upgrade to TemaTres version 1.033 or later.

CVSS Score:
6.0

CVSS Vector:
AV:N/AC:M/Au:S/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2009-1583
BugTraq ID: 34830
http://www.securityfocus.com/bid/34830
Bugtraq: 20090505 MULTIPLE REMOTE VULNERABILITIES--TemaTres 1.0.3--> (Google Search)
http://www.securityfocus.com/archive/1/503252/100/0/threaded
https://www.exploit-db.com/exploits/8615
http://osvdb.org/54247
http://secunia.com/advisories/34983
http://secunia.com/advisories/34990
XForce ISS Database: tematres-term-xss(50343)
https://exchange.xforce.ibmcloud.com/vulnerabilities/50343
Common Vulnerability Exposure (CVE) ID: CVE-2009-1584
Bugtraq: 20090505 BLIND SQL INJECTION EXPLOIT--TemaTres 1.0.3--> (Google Search)
http://www.securityfocus.com/archive/1/503256
https://www.exploit-db.com/exploits/8616
http://osvdb.org/54245
http://osvdb.org/54246
Common Vulnerability Exposure (CVE) ID: CVE-2009-1585
http://osvdb.org/54244

Copyright Copyright (C) 2009 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.800801
Category:	Web application abuses
Title:	TemaTres Multiple XSS and SQL Injection Vulnerabilities
Summary:	TemaTres is prone to Multiple XSS and SQL Injection Vulnerabilities.
Description:	Summary: TemaTres is prone to Multiple XSS and SQL Injection Vulnerabilities. Vulnerability Insight: Multiple flaws are due to - In-adequate check of user supplied input which causes input validation error in the search form. - Validation check error in accepting user input for the following parameters a) _expresion_de_busqueda, b) letra c) estado_id and d) tema e) PATH_TO inside index.php. - Validation check error in accepting user input for the following parameters a) y b) ord and c) m inside sobre.php. - Validation check error in accepting user input for the following parameters a) mail b) password inside index.php. - Validation check error in accepting user input for the following parameters a) dcTema b) madsTema c) zthesTema d) skosTema and e) xtmTema inside xml.php. Vulnerability Impact: Successful attacks will let the attacker steal cookie-based authentication credentials, compromise the application, access or modify data, or can exploit latest vulnerabilities in the underlying database when 'magic_quotes_gpc' is disabled. Affected Software/OS: TemaTres version 1.031 and prior. Solution: Upgrade to TemaTres version 1.033 or later. CVSS Score: 6.0 CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2009-1583 BugTraq ID: 34830 http://www.securityfocus.com/bid/34830 Bugtraq: 20090505 MULTIPLE REMOTE VULNERABILITIES--TemaTres 1.0.3--> (Google Search) http://www.securityfocus.com/archive/1/503252/100/0/threaded https://www.exploit-db.com/exploits/8615 http://osvdb.org/54247 http://secunia.com/advisories/34983 http://secunia.com/advisories/34990 XForce ISS Database: tematres-term-xss(50343) https://exchange.xforce.ibmcloud.com/vulnerabilities/50343 Common Vulnerability Exposure (CVE) ID: CVE-2009-1584 Bugtraq: 20090505 BLIND SQL INJECTION EXPLOIT--TemaTres 1.0.3--> (Google Search) http://www.securityfocus.com/archive/1/503256 https://www.exploit-db.com/exploits/8616 http://osvdb.org/54245 http://osvdb.org/54246 Common Vulnerability Exposure (CVE) ID: CVE-2009-1585 http://osvdb.org/54244
Copyright	Copyright (C) 2009 Greenbone AG