Gnew v2013.1 Multiple XSS And SQL Injection Vulnerabilities

Gnew 2013.1 suffers from multiple cross-site scripting and sql injection vulnerabilities. Input passed via several parameters is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5153.php

Comment are closed.