Description
Multiple SQL injection vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to gain users' passwords via the (1) photo parameter to addfav.php, (2) photo parameter to comments.php, (3) credit parameter to comments.php, (4) cat parameter to index.php, (5) ppuser parameter to showgallery.php, (6) cat parameter to showgallery.php, (7) cat parameter to uploadphoto.php, (8) albumid parameter to useralbums.php, or (9) albumid parameter to useralbums.php.
Exploits (2)
References (5)
Core 5
Core References
Vendor Advisory vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/9994
Mailing List mailing-list
x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=108057790723123&w=2
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/15642
Vendor Advisory vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1009571
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/11241
Scores
EPSS
0.0070
EPSS Percentile
72.1%
Details
Status
published
Products (7)
photopost/photopost_php_pro
3.1
photopost/photopost_php_pro
3.2
photopost/photopost_php_pro
3.3
photopost/photopost_php_pro
4.0
photopost/photopost_php_pro
4.1
photopost/photopost_php_pro
4.6
photopost/photopost_php_pro
4.8.1
Published
Mar 29, 2004
Tracked Since
Feb 18, 2026