CVE-2007-6380

Multiple SQL injection vulnerabilities in e-Xoops (exoops) 1.08, and 1.05 Rev 1 through 3, allow remote attackers to execute arbitrary SQL commands via the (1) lid parameter to (a) mylinks/ratelink.php, (b) adresses/ratefile.php, (c) mydownloads/ratefile.php, (d) mysections/ratefile.php, and (e) myalbum/ratephoto.php in modules/; the (2) bid parameter to (f) modules/banners/click.php; and the (3) gid parameter to (g) modules/arcade/index.php in a show_stats and play_game action, related issues to CVE-2007-5104 and CVE-2007-6266.

Published: Dec 15, 2007
Updated: Apr 13, 2023
CVE: CVE-2007-6380
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
e-xoops / e-xoops	1.05_rev3	1.05_rev3.x
e-xoops / e-xoops	1.08	1.08.x
e-xoops / e-xoops	1.05_rev1	1.05_rev1.x
e-xoops / e-xoops	1.05_rev2	1.05_rev2.x

http://lostmon.blogspot.com/2007/12/e-xoops-multiple-variablescripts-sql.html
http://www.securityfocus.com/bid/26796

Vulnerability Database

289,697

CVE-2007-6380