7.5

CVE-2013-4789

Exploit
SQL injection vulnerability in modules/rss/rss.php in Cotonti before 0.9.14 allows remote attackers to execute arbitrary SQL commands via the "c" parameter to index.php.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CotontiCotonti Siena Version <= 0.9.13
CotontiCotonti Siena Version0.9.0
CotontiCotonti Siena Version0.9.1
CotontiCotonti Siena Version0.9.2
CotontiCotonti Siena Version0.9.3
CotontiCotonti Siena Version0.9.4
CotontiCotonti Siena Version0.9.5
CotontiCotonti Siena Version0.9.6
CotontiCotonti Siena Version0.9.7
CotontiCotonti Siena Version0.9.8
CotontiCotonti Siena Version0.9.9
CotontiCotonti Siena Version0.9.10
CotontiCotonti Siena Version0.9.11
CotontiCotonti Siena Version0.9.12
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.62% 0.835
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

http://osvdb.org/95842
http://secunia.com/advisories/54289
Vendor Advisory
http://www.cotonti.com/forums?m=posts&q=7475
http://www.cotonti.com/news/announce/siena_0914_released
Vendor Advisory
http://www.securityfocus.com/bid/61538
https://github.com/Cotonti/Cotonti/commit/45eec046391afabb676b62b9201da0cd530360b4
Patch
Exploit
https://www.htbridge.com/advisory/HTB23164
Exploit