CVE-2007-4956

critical

Description

Multiple SQL injection vulnerabilities in KwsPHP 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the pseudo parameter to login.php, (2) the id parameter to index.php in a carnet editer action in the Member_Space (espace_membre) module, or (3) the typenav parameter to index.php in a browser aff action in the stats module.

References

https://www.exploit-db.com/exploits/4414

https://www.exploit-db.com/exploits/4413

https://www.exploit-db.com/exploits/4412

https://exchange.xforce.ibmcloud.com/vulnerabilities/36636

https://exchange.xforce.ibmcloud.com/vulnerabilities/36635

https://exchange.xforce.ibmcloud.com/vulnerabilities/36634

http://www.securityfocus.com/bid/25679

http://secunia.com/advisories/26850

http://osvdb.org/37182

http://osvdb.org/37180

http://koogar.alorys-hebergement.com/kwsphp/index.php?mod=news&ac=commentaires&id=29

Details

Source: Mitre, NVD

Published: 2007-09-18

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.02852