Vulnerability Details : CVE-2005-4366
Multiple SQL injection vulnerabilities in DRZES HMS 3.2 allow remote attackers to execute arbitrary SQL commands via the (1) plan_id parameter to (a) domains.php, (b) viewusage.php, (c) pop_accounts.php, (d) databases.php, (e) ftp_users.php, (f) crons.php, (g) pass_dirs.php, (h) zone_files.php, (i) htaccess.php, and (j) software.php; (2) the customerPlanID parameter to viewplan.php; (3) the ref_id parameter to referred_plans.php; (4) customerPlanID parameter to listcharges.php; and (5) the domain parameter to (k) pop_accounts.php, (d) databases.php, (e) ftp_users.php, (f) crons.php, (g) pass_dirs.php, (h) zone_files.php, (i) htaccess.php, and (j) software.php. NOTE: the viewinvoice.php invoiceID vector is already covered by CVE-2005-4137.
Vulnerability category: Sql Injection
Products affected by CVE-2005-4366
- cpe:2.3:a:fad_solutions:drzes_hms:3.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2005-4366
0.82%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2005-4366
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST |
References for CVE-2005-4366
-
http://www.osvdb.org/21191
-
http://www.osvdb.org/21189
-
http://www.osvdb.org/21187
-
http://www.osvdb.org/21182
-
http://www.securityfocus.com/bid/15644
-
http://www.osvdb.org/21188
-
http://www.osvdb.org/21183
-
http://www.osvdb.org/21192
-
http://www.osvdb.org/21184
-
http://www.osvdb.org/21180
-
http://pridels0.blogspot.com/2005/11/drzes-hms-32-multiple-vuln.html
-
http://www.osvdb.org/21181
-
http://www.osvdb.org/21190
-
http://www.osvdb.org/21179
-
http://www.osvdb.org/21185
-
http://www.osvdb.org/21186
Jump to