[VIM] Missed vectors in SPIP SQL injection

Steven M. Christey coley at mitre.org
Thu Feb 2 00:47:46 EST 2006

Based on this disclosure:


Note how the disclosers also say:

  or with any other variable (id_article, id_breve..) like:

Some VDBs are not mentioning id_breve.

Also, some VDBs missed this:

  The vendor also discovered 2 potential sql injections in the session
  handling and when posting "petitions" (maybe others).

In the interests of full disclosure, an analyst on the CVE content
team *also* missed this, but we all make mistakes as is so painfully
obvious every time Brian finds a CVE dupe that was my fault ;-)

- Steve

More information about the VIM mailing list