RETIRED: myPHPNuke 'print.php' SQL Injection and Cross-Site Scripting Vulnerabilities
myPHPNuke is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to myPHPNuke 1.8.8_8rc2 are vulnerable.
NOTE: myPHPNuke 1.8.8_8rc2 has been reported still vulnerable to certain limited SQL-injection attacks.
UPDATE: This issue was previously discussed in BID 30942. Due to a technical difficulty with that record, the issue has been assigned a new BID.
This BID is being retired as a duplicate of BID 30942 (myPHPNuke 'print.php' SQL Injection and Cross-Site Scripting Vulnerabilities).