CVE-2005-3236

critical

Description

Multiple SQL injection vulnerabilities in Cyphor 0.19 allow remote attackers to execute arbitrary SQL and obtain administrative access via (1) the fid parameter of newmsg.php, which can enable XSS attacks when the SQL syntax is invalid or (2) the nick parameter of lostpwd.php.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/22552

http://www.securityfocus.com/bid/15047

http://www.osvdb.org/19945

http://www.osvdb.org/19944

http://www.osvdb.org/19943

http://securitytracker.com/id?1015020

http://securityreason.com/securityalert/70

http://secunia.com/advisories/17104/

http://marc.info/?l=bugtraq&m=112879353805769&w=2

Details

Source: Mitre, NVD

Published: 2005-10-14

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.01652