漏洞类别:CGI
漏洞等级: 
漏洞信息
Joomla! is a free open-source content management system written in PHP. It uses object oriented programming techniques and is built on a model-view-controller web application framework. It includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. Huge-IT Catalog is a Joomla! video gallery component.
CVE-2016-1000119: SQL Injection in file ./models/submissions.php via id parameter, in ./models/comment.php via projectId parameter, in ./models/rating.php via projectId parameter, in models/catalog.php via id parameter, and via the removeslide parameter.
CVE-2016-1000120: Reflected XSS in file ./views/submissions/tmpl/default.php via message_id parameter.
Affected Versions:
Huge-IT Catalog 1.0.4 and prior
漏洞危害
Depending on the vulnerability being exploited, an attacker could conduct cross-site scripting or SQL injections on a targeted system.
解决方案
Customers are advised to install Huge-IT Catalog 1.0.5 or later versions to remediate this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论