CVE-2010-2672 Information

Description

Multiple SQL injection vulnerabilities in eZ Publish 3.7.0 through 4.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3) SearchContentClassAttributeID parameter to the advancedsearch feature.

Reference

http://ez.no/de/content/download/321165/3192248/version/1/file/16397.diff http://ez.no/de/content/download/321166/3192253/version/1/file/16398.diff http://ez.no/de/developer/security/security_advisories/ez_publish_4_2/ezsa_2010_001_remote_vulnerability_in_ez_search http://osvdb.org/63237 http://osvdb.org/63238 http://secunia.com/advisories/39101 http://www.securityfocus.com/bid/38985 http://www.siberas.de/advisories/advisories_2010.html