Multiple vulnerabilities in Voovi Social Networking Script

Posted date 30/11/2023
Identificador
INCIBE-2023-0536
Importance
5 - Critical
Affected Resources
  • Voovi Social Networking Script, 1.0 version.
Description

INCIBE has coordinated the publication of 11 vulnerabilities affecting Voovi, an open source script for social networks, which have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

  • CVE identifiers between CVE-2023-6410 a CVE-2023-6418 both included:
    • CVSS v3.1: 9.8 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89.
  • Identifiers CVE-2023-6419 and CVE-2023-6420:
    • CVSS v3.1: 6.5 | CVSS: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CWE-79.
Solution

There is no reported solution at this time.

Detail
  • A vulnerability has been reported in Voovi Social Networking Script that affects version 1.0 and consists of a SQL injection in multiple parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the application. The list of affected files and parameters is as follows:
    • CVE-2023-6410: editprofile.php in multiple parameters.
    • CVE-2023-6411: home.php in the update parameter.
    • CVE-2023-6412: photo.php in multiple parameters.
    • CVE-2023-6413: photos.php in the id and user parameters.
    • CVE-2023-6414: perfil.php in the id and user parameters.
    • CVE-2023-6415: signin.php in the user parameter.
    • CVE-2023-6416: signup2.php in the emailadd parameter.
    • CVE-2023-6417: update.php in the id parameter.
    • CVE-2023-6418: videos.php in the id parameter.
  • A vulnerability has been reported in Voovi Social Networking Script version 1.0 consisting of a multi-parameter XSS attack, the exploitation of which could allow a remote attacker to send a specially crafted JavaScript payload and partially take over the browser session of an authenticated user. The list of affected files and parameters is as follows:
    • CVE-2023-6419: editprofile.php in multiple parameters.
    • CVE-2023-6420: signup2.php in the emailadd parameter. 
References list
Etiquetas