roxlukas LMeve Login Page X-Forwarded-For sql injection

A vulnerability was found in roxlukas LMeve and classified as critical. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument X-Forwarded-For leads to sql injection. Using CWE to declare the problem leads to CWE-89. The weakness was released 12/17/2022 as 29e1ead3bb1c1fad53b77dfc14534496421c5b5d. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2021-4246. The attack may be launched remotely. Technical details are available. There is no exploit available. The current price for an exploit might be approx. USD $0-$5k at the moment. The MITRE ATT&CK project declares the attack technique as T1505. It is declared as not defined. As 0-day the estimated underground price was around $0-$5k. The name of the patch is 29e1ead3bb1c1fad53b77dfc14534496421c5b5d. The bugfix is ready for download at github.com. It is recommended to apply a patch to fix this issue. A possible mitigation has been published before and not just after the disclosure of the vulnerability.

Field12/17/2022 19:5601/14/2023 17:2701/14/2023 17:34
vendorroxlukasroxlukasroxlukas
nameLMeveLMeveLMeve
componentLogin PageLogin PageLogin Page
argumentX-Forwarded-ForX-Forwarded-ForX-Forwarded-For
cwe89 (sql injection)89 (sql injection)89 (sql injection)
risk222
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
identifier29e1ead3bb1c1fad53b77dfc14534496421c5b5d29e1ead3bb1c1fad53b77dfc14534496421c5b5d29e1ead3bb1c1fad53b77dfc14534496421c5b5d
urlhttps://github.com/roxlukas/lmeve/commit/29e1ead3bb1c1fad53b77dfc14534496421c5b5dhttps://github.com/roxlukas/lmeve/commit/29e1ead3bb1c1fad53b77dfc14534496421c5b5dhttps://github.com/roxlukas/lmeve/commit/29e1ead3bb1c1fad53b77dfc14534496421c5b5d
namePatchPatchPatch
patch_name29e1ead3bb1c1fad53b77dfc14534496421c5b5d29e1ead3bb1c1fad53b77dfc14534496421c5b5d29e1ead3bb1c1fad53b77dfc14534496421c5b5d
patch_urlhttps://github.com/roxlukas/lmeve/commit/29e1ead3bb1c1fad53b77dfc14534496421c5b5dhttps://github.com/roxlukas/lmeve/commit/29e1ead3bb1c1fad53b77dfc14534496421c5b5dhttps://github.com/roxlukas/lmeve/commit/29e1ead3bb1c1fad53b77dfc14534496421c5b5d
cveCVE-2021-4246CVE-2021-4246CVE-2021-4246
responsibleVulDBVulDBVulDB
date1671231600 (12/17/2022)1671231600 (12/17/2022)1671231600 (12/17/2022)
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_auSSS
cvss2_vuldb_eNDNDND
cvss3_vuldb_prLLL
cvss3_vuldb_eXXX
cvss2_vuldb_basescore6.56.56.5
cvss2_vuldb_tempscore5.75.75.7
cvss3_vuldb_basescore6.36.36.3
cvss3_vuldb_tempscore6.06.06.0
cvss3_meta_basescore6.36.37.5
cvss3_meta_tempscore6.06.07.4
price_0day$0-$5k$0-$5k$0-$5k
cve_assigned1671231600 (12/17/2022)1671231600 (12/17/2022)
cve_nvd_summaryA vulnerability was found in roxlukas LMeve and classified as critical. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument X-Forwarded-For leads to sql injection. The attack may be launched remotely. The name of the patch is 29e1ead3bb1c1fad53b77dfc14534496421c5b5d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216176.A vulnerability was found in roxlukas LMeve and classified as critical. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument X-Forwarded-For leads to sql injection. The attack may be launched remotely. The name of the patch is 29e1ead3bb1c1fad53b77dfc14534496421c5b5d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216176.
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prN
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss3_cna_avN
cvss3_cna_acL
cvss3_cna_prL
cvss3_cna_uiN
cvss3_cna_sU
cvss3_cna_cL
cvss3_cna_iL
cvss3_cna_aL
cve_cnaVulDB
cvss3_nvd_basescore9.8
cvss3_cna_basescore6.3

Do you want to use VulDB in your project?

Use the official API to access entries easily!