e-Vision CMS 2.0 Multiple Remote Vulnerabilities

Bugtraq ID:	30508
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Aug 01 2008 12:00AM
Updated:	Aug 01 2008 10:27PM
Credit:	IRCRASH
Vulnerable:	e-Vision e-Vision CMS 2.0
Not Vulnerable:

e-Vision CMS 2.0 Multiple Remote Vulnerabilities

e-Vision CMS is prone to multiple remote vulnerabilities:

- Multiple SQL-injection vulnerabilities
- A local file-include vulnerability
- An information-disclosure vulnerability
- An arbitrary-file-upload vulnerability

Exploiting these issues could allow an attacker to view sensitive information, upload and execute arbitrary code within the context of the webserver, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks are also possible.

e-Vision CMS 2.0 is vulnerable; other versions may also be affected.

e-Vision CMS 2.0 Multiple Remote Vulnerabilities

An attacker can exploit these issues via a browser.

The following exploit and example URIs are available:

• /data/vulnerabilities/exploits/30508.html

e-Vision CMS 2.0 Multiple Remote Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

e-Vision CMS 2.0 Multiple Remote Vulnerabilities

References:

• e-Vision CMS Home Page (e-Vision)
  
• e-Vision 2.0 Sql Injection/Remote File Disclosure/Remote File ([email protected])