CVE-2010-0802 in (nv2) Awards
Summary
by MITRE
SQL injection vulnerability in index.php in (nv2) Awards 1.1.0, a modification for Invision Power Board, allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/01/2026
The vulnerability identified as CVE-2010-0802 represents a critical SQL injection flaw within the nv2 Awards modification version 1.1.0 for Invision Power Board platforms. This security weakness specifically manifests in the index.php file where the application fails to properly sanitize user input before incorporating it into SQL query constructions. The vulnerability occurs when the application processes the id parameter during a view action, creating an opportunity for malicious actors to manipulate database operations through crafted input sequences. The flaw exists within the web application's input validation mechanisms, allowing attackers to bypass normal authentication and authorization controls that should protect database access. This particular implementation vulnerability demonstrates poor security practices in parameter handling and query construction that directly violates fundamental secure coding principles.
The technical exploitation of this vulnerability enables remote attackers to execute arbitrary SQL commands against the underlying database system without proper authentication. When an attacker submits a malicious value through the id parameter, the application incorporates this unvalidated input directly into SQL statements, potentially allowing full database access, data manipulation, or even system compromise. The vulnerability falls under CWE-89 which specifically addresses SQL injection weaknesses in software applications. This type of attack vector represents a classic example of how insufficient input validation can lead to complete system compromise, as the attacker can potentially extract sensitive information, modify database records, or execute administrative commands through the compromised application interface. The impact extends beyond simple data theft as it can provide attackers with persistent access to the database infrastructure that supports the Invision Power Board platform.
Operationally, this vulnerability poses significant risks to organizations using the affected nv2 Awards modification, particularly those running Invision Power Board forums that have not updated to patched versions. The remote nature of the attack means that adversaries can exploit this flaw from anywhere on the internet without requiring physical access to the system or network. Attackers can leverage this vulnerability to gain unauthorized access to user accounts, forum data, and potentially sensitive information stored within the database. The exploitation process typically involves crafting malicious SQL payloads that can be injected through the vulnerable id parameter, potentially leading to complete database compromise. This vulnerability directly aligns with ATT&CK technique T1190 which covers exploitation of remote services, and T1071.005 which addresses application layer protocol usage. Organizations using this vulnerable software are at risk of data breaches, service disruption, and potential regulatory compliance violations that could result in significant financial and reputational damage.
Mitigation strategies for this vulnerability require immediate implementation of security patches provided by the software vendors or through manual code modifications that properly sanitize all user inputs. Organizations should implement proper input validation techniques including parameterized queries, prepared statements, and strict input filtering to prevent malicious SQL code from being executed. The recommended approach involves updating to patched versions of the nv2 Awards modification or implementing web application firewalls that can detect and block SQL injection attempts. Security teams should also conduct thorough vulnerability assessments of all installed modifications and plugins to identify similar weaknesses within the Invision Power Board ecosystem. Additional protective measures include implementing database access controls, monitoring database activities for unusual patterns, and establishing proper network segmentation to limit potential damage from successful exploitation attempts. Regular security audits and code reviews should be performed to identify and remediate similar input validation vulnerabilities across the entire application stack.