7.5
CVE-2012-5874
- EPSS 2.51%
- Veröffentlicht 12.01.2013 04:33:49
- Zuletzt bearbeitet 29.04.2026 01:13:23
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginMultiple SQL injection vulnerabilities in the (1) update_whosonline_reg and (2) update_whosonline_guest functions in Elite Bulletin Board before 2.1.22 allow remote attackers to execute arbitrary SQL commands via the PATH_INFO to (a) checkuser.php, (b) groups.php, (c) index.php, (d) login.php, (e) quicklogin.php, (f) register.php, (g) Search.php, (h) viewboard.php, or (i) viewtopic.php.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Elite-board ≫ Elite Bulletin Board Version <= 2.1.21
Elite-board ≫ Elite Bulletin Board Version2.0.0
Elite-board ≫ Elite Bulletin Board Version2.0.1
Elite-board ≫ Elite Bulletin Board Version2.0.2
Elite-board ≫ Elite Bulletin Board Version2.0.3
Elite-board ≫ Elite Bulletin Board Version2.1.0
Elite-board ≫ Elite Bulletin Board Version2.1.1
Elite-board ≫ Elite Bulletin Board Version2.1.2
Elite-board ≫ Elite Bulletin Board Version2.1.3
Elite-board ≫ Elite Bulletin Board Version2.1.4
Elite-board ≫ Elite Bulletin Board Version2.1.5
Elite-board ≫ Elite Bulletin Board Version2.1.6
Elite-board ≫ Elite Bulletin Board Version2.1.7
Elite-board ≫ Elite Bulletin Board Version2.1.8
Elite-board ≫ Elite Bulletin Board Version2.1.9
Elite-board ≫ Elite Bulletin Board Version2.1.10
Elite-board ≫ Elite Bulletin Board Version2.1.11
Elite-board ≫ Elite Bulletin Board Version2.1.12
Elite-board ≫ Elite Bulletin Board Version2.1.13
Elite-board ≫ Elite Bulletin Board Version2.1.14
Elite-board ≫ Elite Bulletin Board Version2.1.15
Elite-board ≫ Elite Bulletin Board Version2.1.16
Elite-board ≫ Elite Bulletin Board Version2.1.17
Elite-board ≫ Elite Bulletin Board Version2.1.18
Elite-board ≫ Elite Bulletin Board Version2.1.19
Elite-board ≫ Elite Bulletin Board Version2.1.20
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.51% | 0.827 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
http://archives.neohapsis.com/archives/bugtraq/2012-12/0114.html
http://elite-board.us/Community/viewtopic.php?bid=1&tid=310
http://packetstormsecurity.com/files/118962/Elite-Bulletin-Board-2.1.21-SQL-Injection.html
http://secunia.com/advisories/51622
http://www.exploit-db.com/exploits/23575
http://www.osvdb.org/88531
https://www.htbridge.com/advisory/HTB23133