Detections
Analytics
gigCalendar Component for Joomla! 'gigcal_gigs_id' Parameter SQLi
medium Nessus Plugin ID 35474
Language:
Synopsis
The remote web server contains a PHP application that is affected by a SQL injection vulnerability.Description
The version of the gigCalendar component for Joomla! running on the remote host is affected by a SQL injection vulnerability in the gigdetails.php script due to improper sanitization of user-supplied input to the 'gigcal_gigs_id' parameter before using it to construct database queries. Provided the PHP 'magic_quotes_gpc' setting is disabled, an unauthenticated, remote attacker can exploit this issue to manipulate database queries, resulting in disclosure of sensitive information, modification of data, or other attacks against the underlying database.Solution
Unknown at this time.Plugin Details
Severity: Medium
ID: 35474
File Name: joomla_gigcalendar_gigcal_gigs_id_sql_injection.nasl
Version: 1.21
Type: remote
Family: CGI abuses
Published: 1/29/2009
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.2
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 6.1
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: Medium
Base Score: 5.6
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Vulnerability Information
CPE: cpe:/a:joomla:joomla%5c%21
Required KB Items: www/PHP, installed_sw/Joomla!
Exploit Available: true
Exploit Ease: Exploits are available
Exploited by Nessus: true
Reference Information
CVE: CVE-2009-0726
BID: 33241
CWE: 89