CVE-2005-4469 | Vulnerability Database | Aqua Security

Multiple direct static code injection vulnerabilities in PHPGedView 3.3.7 and earlier allow remote attackers to execute arbitrary PHP code via (1) the username field in login.php, or the (2) user_language, (3) user_email, and (4) user_gedcomid parameters in login_register.php, which is directly inserted into authenticate.php.

Affected Software

Name	Vendor	Start Version	End Version
Phpgedview	Phpgedview	*	3.3.7 (including)
Phpgedview	Phpgedview	2.52.3 (including)	2.52.3 (including)
Phpgedview	Phpgedview	2.60 (including)	2.60 (including)
Phpgedview	Phpgedview	2.61 (including)	2.61 (including)
Phpgedview	Phpgedview	2.61.1 (including)	2.61.1 (including)
Phpgedview	Phpgedview	2.65 (including)	2.65 (including)
Phpgedview	Phpgedview	2.65.1 (including)	2.65.1 (including)
Phpgedview	Phpgedview	2.65.2 (including)	2.65.2 (including)
Phpgedview	Phpgedview	2.65_beta5 (including)	2.65_beta5 (including)

References

http://cvs.sourceforge.net/viewcvs.py/phpgedview/phpGedView/login_register.php?r1=1.71.2.35\u0026r2=1.71.2.36
http://cvs.sourceforge.net/viewcvs.py/phpgedview/phpGedView/login_register.php?r1=1.71.2.36\u0026r2=1.71.2.37
http://rgod.altervista.org/phpgedview_337_xpl.html
http://secunia.com/advisories/18177
http://securitytracker.com/id?1015395
http://www.osvdb.org/22010
http://www.securityfocus.com/archive/1/419906/100/0/threaded
http://www.securityfocus.com/bid/15983
http://www.vupen.com/english/advisories/2005/3033
https://exchange.xforce.ibmcloud.com/vulnerabilities/23873
https://sourceforge.net/tracker/index.php?func=detail\u0026aid=1386434\u0026group_id=55456\u0026atid=477081

NVD	https://nvd.nist.gov/vuln/detail/CVE-2005-4469
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html