CVE-2006-2748

critical

Description

SQL injection vulnerability in the do_mysql_query function in core.php for Open Searchable Image Catalogue (OSIC) before 0.7.0.1 allows remote attackers to inject arbitrary SQL commands via multiple vectors, as demonstrated by the (1) type parameter in adminfunctions.php and the (2) catalogue_id parameter in editcatalogue.php.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/26968

http://www.securityfocus.com/bid/18169

http://www.securityfocus.com/archive/1/435380/100/0/threaded

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0605-001.txt

http://svn.sourceforge.net/viewcvs.cgi/osic-win/branches/osic_0-7/osic/core.php?r1=477&r2=631

http://sourceforge.net/forum/forum.php?forum_id=576483

http://securitytracker.com/id?1016178

http://securityreason.com/securityalert/1014

http://secunia.com/advisories/20341

Details

Source: Mitre, NVD

Published: 2006-06-01

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.01367