KB Affiliate Referral Script 1.0 /index.php username/password sql injection

A vulnerability was found in KB Affiliate Referral Script 1.0. It has been classified as critical. This affects an unknown part of the file /index.php. The manipulation of the argument username/password with the input 'or''=' leads to sql injection. The CWE definition for the vulnerability is CWE-89. The weakness was released 01/26/2017 by Ihsan Sencan as EDB-ID 41166 as Exploit (Exploit-DB). The advisory is shared at exploit-db.com. This vulnerability is uniquely identified as CVE-2017-20126. It is possible to initiate the attack remotely. Technical details are available. Furthermore, there is an exploit available. The exploit has been disclosed to the public and may be used. The price for an exploit might be around USD $0-$5k at the moment. MITRE ATT&CK project uses the attack technique T1505 for this issue. It is declared as proof-of-concept. The exploit is shared for download at exploit-db.com. We expect the 0-day to have been worth approximately $0-$5k. A possible mitigation has been published before and not just after the disclosure of the vulnerability.

Field11/11/2022 22:3711/11/2022 22:4611/11/2022 22:57
nameKB Affiliate Referral ScriptKB Affiliate Referral ScriptKB Affiliate Referral Script
version1.01.01.0
file/index.php/index.php/index.php
argumentusername/passwordusername/passwordusername/password
input_value'or''=''or''=''or''='
risk222
cvss2_vuldb_basescore6.86.86.8
cvss2_vuldb_tempscore6.16.16.1
cvss2_vuldb_avNNN
cvss2_vuldb_acMMM
cvss2_vuldb_auNNN
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss3_meta_basescore7.38.18.1
cvss3_meta_tempscore6.98.08.0
cvss3_vuldb_basescore7.37.37.3
cvss3_vuldb_tempscore6.96.96.9
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
date1485388800 (01/26/2017)1485388800 (01/26/2017)1485388800 (01/26/2017)
locationExploit-DBExploit-DBExploit-DB
typeExploitExploitExploit
urlhttps://www.exploit-db.com/exploits/41166/https://www.exploit-db.com/exploits/41166/https://www.exploit-db.com/exploits/41166/
identifierEDB-ID 41166EDB-ID 41166EDB-ID 41166
person_nameIhsan SencanIhsan SencanIhsan Sencan
availability111
date1485388800 (01/26/2017)1485388800 (01/26/2017)1485388800 (01/26/2017)
publicity111
urlhttps://www.exploit-db.com/exploits/41166/https://www.exploit-db.com/exploits/41166/https://www.exploit-db.com/exploits/41166/
developer_nameIhsan SencanIhsan SencanIhsan Sencan
price_0day$0-$5k$0-$5k$0-$5k
exploitdb411664116641166
cvss2_vuldb_ePOCPOCPOC
cvss2_vuldb_rlNDNDND
cvss2_vuldb_rcCCC
cvss3_vuldb_ePPP
cvss3_vuldb_rlXXX
cvss3_vuldb_rcCCC
typeAdvertising SoftwareAdvertising SoftwareAdvertising Software
exploitdb_date1485388800 (01/26/2017)1485388800 (01/26/2017)1485388800 (01/26/2017)
cwe89 (sql injection)89 (sql injection)89 (sql injection)
cveCVE-2017-20126CVE-2017-20126CVE-2017-20126
responsibleVulDBVulDBVulDB
cve_assigned1656367200 (06/28/2022)1656367200 (06/28/2022)1656367200 (06/28/2022)
cve_nvd_summaryA vulnerability was found in KB Affiliate Referral Script 1.0. It has been classified as critical. This affects an unknown part of the file /index.php. The manipulation of the argument username/password with the input 'or''=' leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.A vulnerability was found in KB Affiliate Referral Script 1.0. It has been classified as critical. This affects an unknown part of the file /index.php. The manipulation of the argument username/password with the input 'or''=' leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.A vulnerability was found in KB Affiliate Referral Script 1.0. It has been classified as critical. This affects an unknown part of the file /index.php. The manipulation of the argument username/password with the input 'or''=' leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
cvss3_nvd_avNN
cvss3_nvd_acLL
cvss3_nvd_prNN
cvss3_nvd_uiNN
cvss3_nvd_sUU
cvss3_nvd_cHH
cvss3_nvd_iHH
cvss3_nvd_aHH
cvss3_cna_avNN
cvss3_cna_acLL
cvss3_cna_prNN
cvss3_cna_uiNN
cvss3_cna_sUU
cvss3_cna_cLL
cvss3_cna_iLL
cvss3_cna_aLL
cve_cnaVulDBVulDB
cvss3_nvd_basescore9.89.8
cvss3_cna_basescore7.37.3

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!