CVE-2010-2672 | HackTesting

Multiple SQL injection vulnerabilities in eZ Publish 3.7.0 through 4.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3) SearchContentClassAttributeID parameter to the advancedsearch feature.

References

http://www.siberas.de/advisories/advisories_2010.html

http://ez.no/de/content/download/321165/3192248/version/1/file/16397.diff

http://osvdb.org/63237

http://secunia.com/advisories/39101

http://www.securityfocus.com/bid/38985

http://ez.no/de/content/download/321166/3192253/version/1/file/16398.diff

http://ez.no/de/developer/security/security_advisories/ez_publish_4_2/ezsa_2010_001_remote_vulnerability_in_ez_search

http://osvdb.org/63238