CVE-2010-4834

EUVD-2010-4799
Multiple SQL injection vulnerabilities in index.php in OneOrZero AIMS 2.6.0 Members Edition and 2.7.0 Trial Edition allow remote authenticated users to execute arbitrary SQL commands via the (1) id parameter in a saved_search action and (2) item_types parameter in a show_item_search action in the search_management_manage subcontroller. NOTE: some of these details are obtained from third party information.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
oneorzeroaims
2.6.0
oneorzeroaims
2.7.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.org/files/view/95814/oneorzeroaims-lfisql.txt
http://secunia.com/advisories/42251
http://securityreason.com/securityalert/8375
http://www.exploit-db.com/exploits/15519
http://www.xenuser.org/documents/security/OneOrZero_Aims_multiple_vulnerabilities.txt
http://packetstormsecurity.org/files/view/95814/oneorzeroaims-lfisql.txt
http://secunia.com/advisories/42251
http://securityreason.com/securityalert/8375
http://www.exploit-db.com/exploits/15519
http://www.xenuser.org/documents/security/OneOrZero_Aims_multiple_vulnerabilities.txt