CVE-2004-1949

SQL injection vulnerability in PostNuke 7.2.6 and earlier allows remote attackers to execute arbitrary SQL via (1) the sif parameter to index.php in the Comments module or (2) timezoneoffset parameter to changeinfo.php in the Your_Account module.

Published: Dec 31, 2004
Updated: Nov 9, 2025
CVE: CVE-2004-1949
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
postnuke_software_foundation / postnuke	0.726	0.726.x

http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020154.html
http://marc.info/?l=bugtraq&m=108256503718978&w=2
http://news.postnuke.com/Article2580.html
http://secunia.com/advisories/11386
http://securitytracker.com/id?1009801
http://www.osvdb.org/5368
http://www.osvdb.org/5369
http://www.securityfocus.com/bid/10146
https://exchange.xforce.ibmcloud.com/vulnerabilities/15869
https://exchange.xforce.ibmcloud.com/vulnerabilities/15875

Vulnerability Database

CVE-2004-1949

Deep Security Visibility Without the Complexity