A vulnerability has been found in jojo CMS 1.1/1.2/1.2.1 (Content Management System) and classified as critical. This vulnerability affects the function checkEmailFormat. The manipulation with an unknown input leads to a sql injection vulnerability. The CWE definition for the vulnerability is CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

SQL injection vulnerability in the checkEmailFormat function in plugins/jojo_core/classes/Jojo.php in Jojo before 1.2.2 allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For HTTP header to /articles/test/.

The weakness was presented 06/09/2014 (Website). The advisory is shared for download at github.com. This vulnerability was named CVE-2013-3081 since 04/17/2013. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1505.

Upgrading to version 1.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (84285). See 69989 for similar entry.

Productinfo

Type

• Content Management System

Vendor

• jojo

Name

• CMS

Version

• 1.1
• 1.2
• 1.2.1

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion