CVE-2005-3208 - OpenCVE

Multiple SQL injection vulnerabilities in (1) aeNovo, (2) aeNovoShop and (3) aeNovoWYSI allow remote attackers to execute arbitrary SQL code via (a) the password parameter in control.asp, and (b) the strSQL parameter in search.asp, which can enable XSS attacks in resulting error messages.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Aenovo	Aenovo Aenovoshop Aenovowysi

Configuration 1 [-]

OR	cpe:2.3:a:aenovo:aenovo::::::::
	cpe:2.3:a:aenovo:aenovoshop::::::::
	cpe:2.3:a:aenovo:aenovowysi::::::::

No data.

References

Link	Providers
http://marc.info/?l=bugtraq&m=112872593432359&w=2
http://secunia.com/advisories/17117/
http://www.kapda.ir/advisory-78.html
http://www.osvdb.org/19936
http://www.osvdb.org/19937
http://www.securityfocus.com/bid/15036
http://www.securityfocus.com/bid/15038
https://exchange.xforce.ibmcloud.com/vulnerabilities/22547
https://exchange.xforce.ibmcloud.com/vulnerabilities/22551
https://exchange.xforce.ibmcloud.com/vulnerabilities/22553

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2005-10-14T04:00:00

Updated: 2024-08-07T23:01:59.064Z

Reserved: 2005-10-14T00:00:00

Link: CVE-2005-3208

Vulnrichment

No data.

NVD

Status : Modified

Published: 2005-10-14T10:02:00.000

Modified: 2017-07-11T01:33:08.127

Link: CVE-2005-3208

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2005-10-07T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in (1) aeNovo, (2) aeNovoShop and (3) aeNovoWYSI allow remote attackers to execute arbitrary SQL code via (a) the password parameter in control.asp, and (b) the strSQL parameter in search.asp, which can enable XSS attacks in resulting error messages."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-10T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "17117", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/17117/"}, {"name": "19936", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/19936"}, {"name": "15036", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/15036"}, {"name": "20051007 Aenovo Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=112872593432359&w=2"}, {"name": "aenovo-xss(22553)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22553"}, {"name": "aenovo-strsql-sql-injection(22551)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22551"}, {"tags": ["x_refsource_MISC"], "url": "http://www.kapda.ir/advisory-78.html"}, {"name": "15038", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/15038"}, {"name": "aenovo-password-sql-injection(22547)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22547"}, {"name": "19937", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/19937"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2005-3208", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple SQL injection vulnerabilities in (1) aeNovo, (2) aeNovoShop and (3) aeNovoWYSI allow remote attackers to execute arbitrary SQL code via (a) the password parameter in control.asp, and (b) the strSQL parameter in search.asp, which can enable XSS attacks in resulting error messages."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "17117", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/17117/"}, {"name": "19936", "refsource": "OSVDB", "url": "http://www.osvdb.org/19936"}, {"name": "15036", "refsource": "BID", "url": "http://www.securityfocus.com/bid/15036"}, {"name": "20051007 Aenovo Multiple Vulnerabilities", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=112872593432359&w=2"}, {"name": "aenovo-xss(22553)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22553"}, {"name": "aenovo-strsql-sql-injection(22551)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22551"}, {"name": "http://www.kapda.ir/advisory-78.html", "refsource": "MISC", "url": "http://www.kapda.ir/advisory-78.html"}, {"name": "15038", "refsource": "BID", "url": "http://www.securityfocus.com/bid/15038"}, {"name": "aenovo-password-sql-injection(22547)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22547"}, {"name": "19937", "refsource": "OSVDB", "url": "http://www.osvdb.org/19937"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T23:01:59.064Z"}, "title": "CVE Program Container", "references": [{"name": "17117", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/17117/"}, {"name": "19936", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/19936"}, {"name": "15036", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/15036"}, {"name": "20051007 Aenovo Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=112872593432359&w=2"}, {"name": "aenovo-xss(22553)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22553"}, {"name": "aenovo-strsql-sql-injection(22551)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22551"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.kapda.ir/advisory-78.html"}, {"name": "15038", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/15038"}, {"name": "aenovo-password-sql-injection(22547)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22547"}, {"name": "19937", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/19937"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2005-3208", "datePublished": "2005-10-14T04:00:00", "dateReserved": "2005-10-14T00:00:00", "dateUpdated": "2024-08-07T23:01:59.064Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aenovo:aenovo:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0CA4376-FB7C-4FB3-AF36-E28907CB6A46", "vulnerable": true}, {"criteria": "cpe:2.3:a:aenovo:aenovoshop:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E84793B-F90B-440D-B6DD-4F9F1D4EC431", "vulnerable": true}, {"criteria": "cpe:2.3:a:aenovo:aenovowysi:*:*:*:*:*:*:*:*", "matchCriteriaId": "A66F6D79-0C97-4458-921C-48AECE03973A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in (1) aeNovo, (2) aeNovoShop and (3) aeNovoWYSI allow remote attackers to execute arbitrary SQL code via (a) the password parameter in control.asp, and (b) the strSQL parameter in search.asp, which can enable XSS attacks in resulting error messages."}], "id": "CVE-2005-3208", "lastModified": "2017-07-11T01:33:08.127", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2005-10-14T10:02:00.000", "references": [{"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=112872593432359&w=2"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/17117/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://www.kapda.ir/advisory-78.html"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/19936"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/19937"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/15036"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/15038"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22547"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22551"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/22553"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}