9.8

CVE-2016-7405

The qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Adodb ProjectAdodb Version5.00 Updatebeta
   PhpPhp Version-
Adodb ProjectAdodb Version5.01 Updatebeta
   PhpPhp Version-
Adodb ProjectAdodb Version5.02
   PhpPhp Version-
Adodb ProjectAdodb Version5.02 Updatea
   PhpPhp Version-
Adodb ProjectAdodb Version5.03
   PhpPhp Version-
Adodb ProjectAdodb Version5.04
   PhpPhp Version-
Adodb ProjectAdodb Version5.04 Updatea
   PhpPhp Version-
Adodb ProjectAdodb Version5.05
   PhpPhp Version-
Adodb ProjectAdodb Version5.06
   PhpPhp Version-
Adodb ProjectAdodb Version5.06 Updatea
   PhpPhp Version-
Adodb ProjectAdodb Version5.07
   PhpPhp Version-
Adodb ProjectAdodb Version5.08
   PhpPhp Version-
Adodb ProjectAdodb Version5.08 Updatea
   PhpPhp Version-
Adodb ProjectAdodb Version5.09
   PhpPhp Version-
Adodb ProjectAdodb Version5.09 Updatea
   PhpPhp Version-
Adodb ProjectAdodb Version5.10
   PhpPhp Version-
Adodb ProjectAdodb Version5.11
   PhpPhp Version-
Adodb ProjectAdodb Version5.12
   PhpPhp Version-
Adodb ProjectAdodb Version5.13
   PhpPhp Version-
Adodb ProjectAdodb Version5.14
   PhpPhp Version-
Adodb ProjectAdodb Version5.15
   PhpPhp Version-
Adodb ProjectAdodb Version5.16
   PhpPhp Version-
Adodb ProjectAdodb Version5.16 Updatea
   PhpPhp Version-
Adodb ProjectAdodb Version5.17
   PhpPhp Version-
Adodb ProjectAdodb Version5.18
   PhpPhp Version-
Adodb ProjectAdodb Version5.18 Updatea
   PhpPhp Version-
Adodb ProjectAdodb Version5.19
   PhpPhp Version-
Adodb ProjectAdodb Version5.20.0
   PhpPhp Version-
Adodb ProjectAdodb Version5.20.1
   PhpPhp Version-
Adodb ProjectAdodb Version5.20.2
   PhpPhp Version-
Adodb ProjectAdodb Version5.20.3
   PhpPhp Version-
Adodb ProjectAdodb Version5.20.4
   PhpPhp Version-
Adodb ProjectAdodb Version5.20.5
   PhpPhp Version-
Adodb ProjectAdodb Version5.20.6
   PhpPhp Version-
FedoraprojectFedora Version25
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.98% 0.855
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

http://www.openwall.com/lists/oss-security/2016/09/07/8
Patch
Release Notes
http://www.openwall.com/lists/oss-security/2016/09/15/1
Patch
Release Notes
http://www.securityfocus.com/bid/92969
Third Party Advisory
https://github.com/ADOdb/ADOdb/blob/v5.20.7/docs/changelog.md
Patch
Vendor Advisory
Release Notes
https://github.com/ADOdb/ADOdb/commit/bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8
Patch
Vendor Advisory
https://github.com/ADOdb/ADOdb/issues/226
Patch
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LT3WU77BRUJREZUYQ3ZQBMUIVIVIND4Y/
https://security.gentoo.org/glsa/201701-59