CVE-2011-0434

EPSS 1.08%
Veröffentlicht 07.03.2011 21:00:01
Zuletzt bearbeitet 11.04.2025 00:51:21
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Multiple SQL injection vulnerabilities in Domain Technologie Control (DTC) before 0.32.9 allow remote attackers to execute arbitrary SQL commands via the cid parameter to (1) admin/bw_per_month.php or (2) client/bw_per_month.php.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gplhost ≫ Domain Technologie Control Version <= 0.32.8

Gplhost ≫ Domain Technologie Control Version0.24.6

Gplhost ≫ Domain Technologie Control Version0.25.1

Gplhost ≫ Domain Technologie Control Version0.25.2

Gplhost ≫ Domain Technologie Control Version0.25.3

Gplhost ≫ Domain Technologie Control Version0.26.7

Gplhost ≫ Domain Technologie Control Version0.26.8

Gplhost ≫ Domain Technologie Control Version0.26.9

Gplhost ≫ Domain Technologie Control Version0.27.3

Gplhost ≫ Domain Technologie Control Version0.28.2

Gplhost ≫ Domain Technologie Control Version0.28.3

Gplhost ≫ Domain Technologie Control Version0.28.4

Gplhost ≫ Domain Technologie Control Version0.28.6

Gplhost ≫ Domain Technologie Control Version0.28.9

Gplhost ≫ Domain Technologie Control Version0.28.10

Gplhost ≫ Domain Technologie Control Version0.29.1

Gplhost ≫ Domain Technologie Control Version0.29.6

Gplhost ≫ Domain Technologie Control Version0.29.8

Gplhost ≫ Domain Technologie Control Version0.29.10

Gplhost ≫ Domain Technologie Control Version0.29.14

Gplhost ≫ Domain Technologie Control Version0.29.15

Gplhost ≫ Domain Technologie Control Version0.29.16

Gplhost ≫ Domain Technologie Control Version0.29.17

Gplhost ≫ Domain Technologie Control Version0.30.6

Gplhost ≫ Domain Technologie Control Version0.30.8

Gplhost ≫ Domain Technologie Control Version0.30.10

Gplhost ≫ Domain Technologie Control Version0.30.18

Gplhost ≫ Domain Technologie Control Version0.30.20

Gplhost ≫ Domain Technologie Control Version0.32.1

Gplhost ≫ Domain Technologie Control Version0.32.2

Gplhost ≫ Domain Technologie Control Version0.32.3

Gplhost ≫ Domain Technologie Control Version0.32.4

Gplhost ≫ Domain Technologie Control Version0.32.5

Gplhost ≫ Domain Technologie Control Version0.32.6

Gplhost ≫ Domain Technologie Control Version0.32.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.08%	0.758

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

http://git.gplhost.com/gitweb/?p=dtc.git%3Ba=commit%3Bh=89da9c519b04cda1b23e6290d2b0a6cea1bae31e

http://git.gplhost.com/gitweb/?p=dtc.git%3Ba=commit%3Bh=e94e8b9cc354bfcaeb284d5331b815256bb46162

http://packages.debian.org/changelogs/pool/main/d/dtc/dtc_0.29.17-1+lenny1/changelog

http://packages.debian.org/changelogs/pool/main/d/dtc/dtc_0.32.10-1/changelog

http://secunia.com/advisories/43523

Vendor Advisory

http://www.debian.org/security/2011/dsa-2179

http://www.gplhost.sg/lists/dtcannounce/msg00025.html

Patch

http://www.vupen.com/english/advisories/2011/0556

Vendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/65895