A vulnerability was found in irontec klear-library chloe (Software Library) and classified as critical. Affected by this issue is the function _prepareWhere of the file Controller/Rest/BaseController.php. The manipulation with an unknown input leads to a sql injection vulnerability. Using CWE to declare the problem leads to CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability.

The weakness was shared 02/19/2023 as b25262de52fdaffde2a4434fc2a84408b304fbc5. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2015-10084. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1505.

By approaching the search of inurl:Controller/Rest/BaseController.php it is possible to find vulnerable targets with Google Hacking.

Upgrading to version marla eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch b25262de52fdaffde2a4434fc2a84408b304fbc5 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. The advisory contains the following remark:

Fix sql injection && Permitir la ejecución de sentencias sql complejas predefinidas en controladores REST vía Zend_Db_Expr

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Software Library

Vendor

• irontec

Name

• klear-library

Version

• chloe

License

• open-source

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion