|
Description
|
|
Multiple vulnerabilities have been identified in 6ALBlog, which could be exploited by remote attackers to inject arbitrary SQL queries. These issues are caused by input validation errors in various scripts (e.g. "comments.php" and "member.php") when processing user-supplied parameters (e.g. "newsid" or "member") before being used in SQL statements, which could be exploited by malicious users to conduct SQL injection attacks and gain elevated privileges.
Note : A file inclusion vulnerability affecting the "admin/index.php" script when processing the "pg" parameter could be exploited by malicious administrators to include remote files.
|
