Vulnerability Description
Multiple SQL injection vulnerabilities in the admin section in e107 0.7.5 allow remote authenticated administrative users to execute arbitrary SQL commands via the (1) linkopentype, (2) linkrender, (3) link_class, and (4) link_id parameters in (a) links.php; the (5) searchquery parameter in (b) users.php; and the (6) download_category_class parameter in (c) download.php. NOTE: an e107 developer has disputed the significance of the vulnerability, stating that "If your admins are injecting you, you might want to reconsider their access."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| E107 | E107 | <= 0.7.5 |
References
- http://e107.org/e107_plugins/bugtrack/bugtrack.php?id=3195&action=show
- http://securityreason.com/securityalert/1569
- http://www.securityfocus.com/archive/1/445005/100/100/threaded
- http://e107.org/e107_plugins/bugtrack/bugtrack.php?id=3195&action=show
- http://securityreason.com/securityalert/1569
- http://www.securityfocus.com/archive/1/445005/100/100/threaded
FAQ
What is CVE-2006-4757?
CVE-2006-4757 is a vulnerability with a CVSS score of 4.6 (MEDIUM). Multiple SQL injection vulnerabilities in the admin section in e107 0.7.5 allow remote authenticated administrative users to execute arbitrary SQL commands via the (1) linkopentype, (2) linkrender, (3...
How severe is CVE-2006-4757?
CVE-2006-4757 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2006-4757?
Check the references section above for vendor advisories and patch information. Affected products include: E107 E107.