CVE-2013-7349
Gnew 2013.1 - SQL Injection via news_id, thread_id, or user_email Parameter
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2013-7349. PoCs published by High-Tech Bridge SA.
AI-analyzed exploit summary This advisory details multiple vulnerabilities in Gnew 2013.1, including PHP file inclusion via the 'gnew_language' cookie and SQL injection in various scripts. It provides technical exploitation examples for each vulnerability.
Description
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) news_id parameter to news/send.php, (2) thread_id parameter to posts/edit.php, or (3) user_email parameter to users/password.php or (4) users/register.php. NOTE: these issues were SPLIT from CVE-2013-5640 due to differences in researchers and disclosure dates.
Exploits (2)
This advisory details multiple vulnerabilities in Gnew 2013.1, including PHP file inclusion via the 'gnew_language' cookie and SQL injection in various scripts. It provides technical exploitation examples for each vulnerability.
The exploit demonstrates multiple XSS and SQL injection vulnerabilities in Gnew CMS v2013.1 by providing HTTP request examples with malicious payloads. It includes specific parameters and endpoints affected, along with proof-of-concept payloads for both XSS and SQLi.