The GetPassword function in function.php of SiteNews 0.10 and 0.11 allows remote attackers to gain privileges and add users by providing a non-existent user name and the MD5 checksum for an empty password to add_user.php, which causes GetPassword to produce and compare a blank password for the non-existent user.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| sitenews | sitenews | 0.07_beta |
| sitenews | sitenews | 0.05_beta |
| sitenews | sitenews | 0.11_beta |
| sitenews | sitenews | 0.03_beta |
| sitenews | sitenews | 0.09_beta |
| sitenews | sitenews | 0.10_beta |
| sitenews | sitenews | 0.01_beta |
| sitenews | sitenews | 0.04_beta |
| sitenews | sitenews | 0.08_beta |
| sitenews | sitenews | 0.02_beta |
| sitenews | sitenews | 0.06_beta |