CVE-2017-7290

Опубликовано: 30 мар. 2017

Источник: nvd

CVSS3: 7.2

CVSS2: 6.5

EPSS Низкий

Описание

SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program.

Ссылки

http://www.securityfocus.com/bid/97230
Third Party Advisory
VDB Entry
https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19
Exploit
Patch
Third Party Advisory
http://www.securityfocus.com/bid/97230
Third Party Advisory
VDB Entry
https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xoops:xoops:2.5.7.2:*:*:*:*:*:*:*

cpe:2.3:a:xoops:xoops:2.5.7.3:*:*:*:*:*:*:*

cpe:2.3:a:xoops:xoops:2.5.8.1:*:*:*:*:*:*:*

EPSS

Процентиль: 68%

0.00562

Низкий

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-j76x-72xr-r2qp