Nucleus CMS action.php itemid Parameter SQL Injection

high Nessus Plugin ID 14194

Synopsis

The remote service is prone to a SQL injection.

Description

The remote host is running Nucleus CMS, an open source content management system.

There is a SQL injection condition in the remote version of this software that could allow an attacker to execute arbitrary SQL commands against the remote database.

An attacker could exploit this flaw to gain unauthorized access to the remote database and gain admin privileges on the remote CMS.

Solution

Upgrade to Nucleus 3.1 or newer.

See Also

https://marc.info/?l=bugtraq&m=109087144509299&w=2

Plugin Details

Severity: High

ID: 14194

File Name: nucleus_sql_injection.nasl

Version: 1.22

Type: remote

Family: CGI abuses

Published: 8/3/2004

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:nucleus_group:nucleus_cms

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/25/2004

Reference Information

CVE: CVE-2004-2056

BID: 10798