cpe:/a:postnuke:postnuke:0.764 CVE-2008-1591 2008-03-31T19:44:00.000-04:00 2017-09-28T21:30:46.863-04:00 7.5 NETWORK LOW NONE PARTIAL PARTIAL PARTIAL http://nvd.nist.gov 2008-04-01T10:45:00.000-04:00 ALLOWS_OTHER_ACCESS BID 28407 EXPLOIT-DB 5292 XF postnuke-index-script-sql-injection(41375) The pnVarPrepForStore function in PostNuke 0.764 and earlier skips input sanitization when magic_quotes_runtime is enabled, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via input associated with server variables, as demonstrated by the CLIENT_IP HTTP header (HTTP_CLIENT_IP variable).