PaNews Multiple Injection Vulnerabilities

High Nessus Network Monitor Plugin ID 2626


The remote host is running a vulnerable version of PaNews, a news management script written in PHP.


The remote host is running PaNews, a news management script written in PHP. This version of PaNews is vulnerable to a Cross-Site Scripting (XSS) attack. An attacker exploiting this flaw would need to be able to convince an unsuspecting user to visit a malicious website. Upon successful exploitation, the attacker would be able to possibly steal credentials or execute browser-side code. The version of PaNews is also reported to be prone to several remote SQL and HTML injection attacks. An attacker exploiting these flaws would be able to potentially modify and view confidential data.


Upgrade or patch according to vendor recommendations.

See Also

Plugin Details

Severity: High

ID: 2626

File Name: 2626.prm

Family: CGI

Published: 2005/02/16

Modified: 2016/01/15

Dependencies: 1442

Nessus ID: 16479, 17574

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:H/RL:U/RC:ND


Base Score: 7.3

Temporal Score: 7.3


Temporal Vector: CVSS3#E:H/RL:U/RC:X

Reference Information

CVE: CVE-2005-0485, CVE-2005-0646, CVE-2005-0647

BID: 12687, 12576, 12611