CVE-2004-2240
Description
Phorum 5.0.11 and earlier contain multiple SQL injection vulnerabilities in read.php and file.php, allowing remote attackers to manipulate SQL queries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Phorum 5.0.11 and earlier contain multiple SQL injection vulnerabilities in read.php and file.php, allowing remote attackers to manipulate SQL queries.
Vulnerability
Phorum 5.0.11 and earlier are vulnerable to multiple SQL injection flaws. The first vector exists in read.php where the query string is not properly sanitized, allowing an attacker to inject arbitrary SQL. A second vector exists in file.php via unknown parameters. [2]
Exploitation
An unauthenticated remote attacker can exploit these vulnerabilities by sending a crafted HTTP request to read.php with malicious SQL in the query string, or by targeting the unknown vectors in file.php. No authentication or special privileges are required. [2]
Impact
Successful exploitation allows an attacker to modify SQL statements, potentially leading to unauthorized access to or manipulation of the Phorum database, including disclosure of sensitive data or alteration of forum content. [2]
Mitigation
The vendor has not released a specific patch version in the available references. Users should upgrade to a version later than 5.0.11, as later releases likely contain fixes. The Phorum project has since evolved, and the latest version should be used. [1] [2]
- 2006-02-19 12:41 ts77 * phorum5/trunk/templates/default/pm_folders.tpl: "# corrected order of div/form, thx to Oliver Riesen" 2006-02-19 00:44 mmakaay * phorum5/trunk/pm.php: # Added fake language string PMSent so the language tool will detect it 2006-02-17 20:21 mmakaay * phorum5/trunk/common.php: # Added some useful variables to the template data 2006-02-16 12:34 mmakaay * phorum5/trunk/include/db/mysql.php, phorum5/trunk/include/db/mysqli.php, phorum5/trunk/include/db/postgresql.php: Fix for updating pos…
- About Secunia Research | Flexera
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- securitytracker.com/idnvdExploit
- www.maxpatrol.com/advdetails.aspnvdExploitVendor Advisory
- www.osvdb.org/11129nvdExploitPatch
- secunia.com/advisories/12980nvdVendor Advisory
- phorum.org/cvs-changelog-5.txtnvd
- www.maxpatrol.com/mp_advisory.aspnvd
- www.securityfocus.com/bid/11538nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/17847nvd
News mentions
0No linked articles in our index yet.