Detections
Analytics

PaNews Multiple Injection Vulnerabilities

high Nessus Network Monitor Plugin ID 2626

Synopsis

The remote host is running a vulnerable version of PaNews, a news management script written in PHP.

Description

The remote host is running PaNews, a news management script written in PHP. This version of PaNews is vulnerable to a Cross-Site Scripting (XSS) attack. An attacker exploiting this flaw would need to be able to convince an unsuspecting user to visit a malicious website. Upon successful exploitation, the attacker would be able to possibly steal credentials or execute browser-side code. The version of PaNews is also reported to be prone to several remote SQL and HTML injection attacks. An attacker exploiting these flaws would be able to potentially modify and view confidential data.

Solution

Upgrade or patch according to vendor recommendations.

See Also

http://www.kernelpanik.org/docs/kernelpanik/panews.txt

http://archives.neohapsis.com/archives/bugtraq/2005-03/0006.html

Plugin Details

Severity: High

ID: 2626

Family: CGI

Published: 2/16/2005

Updated: 3/6/2019

Nessus ID: 16479, 17574

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:H/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:phparena:panews

Reference Information

CVE: CVE-2005-0485, CVE-2005-0646, CVE-2005-0647

BID: 12687, 12576, 12611