A vulnerability was found in Sharetronix 3.1.1/3.3 and classified as critical. Affected by this issue is an unknown functionality. The manipulation of the argument invite_users[] with an unknown input leads to a sql injection vulnerability. Using CWE to declare the problem leads to CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. CVE summarizes:

SQL injection vulnerability in Sharetronix before 3.4 allows remote authenticated users to execute arbitrary SQL commands via the invite_users[] parameter to the /invite page for a group.

The weakness was shared 05/29/2014 (Website). The advisory is available at htbridge.com. This vulnerability is handled as CVE-2014-3415 since 05/07/2014. The exploitation is known to be easy. The attack may be launched remotely. The successful exploitation needs a simple authentication. Technical details as well as a public exploit are known. This vulnerability is assigned to T1505 by the MITRE ATT&CK project.

The exploit is available at exploit-db.com. It is declared as proof-of-concept.

Upgrading to version 3.1.1 eliminates this vulnerability.

The vulnerability is also documented in the databases at Exploit-DB (33557) and SecurityFocus (BID 67680†). The entry VDB-69853 is related to this item. If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Name

• Sharetronix

Version

• 3.1.1
• 3.3

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion