|
Description
|
|
Two vulnerabilities were identified in Mini-NUKE, which may be exploited by remote attackers to execute arbitrary SQL statements or gain unauthorized access to the application.
The first flaw is due to an input validation error in the "news.asp" script that does not properly validate the "hid" parameter before being used in SQL queries, which may be exploited by malicious people to conduct SQL injection attacks.
The second vulnerability is due to a design error where the change password functionality in "membership.asp" fails to properly verify old passwords, which could allow remote attackers to change other users' passwords via a specially crafted HTTP POST request.
|
