|
Description
|
|
Multiple vulnerabilities have been discovered in Gnew, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks.
1) Input passed via the "category_id" POST parameter to news/submit.php (when "preview" is set to "Preview" and "news_subject" and "news_text" are set) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Input passed via the "news_id" POST parameter to comments/add.php (when "preview" is set to "Preview" and "comment_subject" and "comment_text" are set) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
3) Input passed via the "post_subject" and "thread_id" POST parameters to posts/edit.php (when "preview_edited" is set to "Preview" and "category_id", "post_creation", "post_id", and "post_text" are set) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
4) Input passed via the "thread_id" POST parameter to posts/edit.php (when "preview_edited" is set to "Preview") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
5) Input passed via the "news_id" POST parameter to news/send.php (when "send" is set to "send" and "user_name", "user_email", and "friend_email" are set) is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
6) Input passed via the "user_email" POST parameter to users/password.php (when "password" is set to "Send" and "user_name" is set) is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
7) Input passed via the "user_email" POST parameter to users/register.php (when "register" is set to "Register") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
8) Input passed via the "answer_id" and "question_id" POST parameters to polls/vote.php (when "add_vote" is set to "Vote") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
9) Input passed via the "story_id" POST parameter to comments/index.php (when "add" is set to "Add") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerabilities are confirmed in version 2013.1. Other versions may also be affected.
|
