[原文]Multiple SQL injection vulnerabilities in vscripts (aka Kuba Kunkiewicz) VNews 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) loginvar parameter in (a) admin/admin.php, and the (2) news and (3) nom parameters in (b) news.php.
VNews contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin/admin.php script not properly sanitizing user-supplied input to the 'loginvar' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: email@example.com:firstname.lastname@example.org