Multiple SQL injection vulnerabilities in search_result.cfm in Jobbex JobSite allow remote attackers to execute arbitrary SQL commands via the (1) jobcountryid and (2) jobstateid parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
| Link | Tags |
|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/43914 | vdb entry |
| http://holisticinfosec.org/content/view/78/45/ | patch |
| http://www.securityfocus.com/bid/30302 | vdb entry |
| http://support.avidwebtech.com/index.php?_m=news&_a=viewnews&newsid=4 | patch |
| http://secunia.com/advisories/31089 | third party advisory vendor advisory |