CVE-2005-3679 in 1-2-All Broadcast Emailinfo

Summary

by MITRE

SQL injection vulnerability in admin/index.php in ActiveCampaign 1-2-All Broadcast Email allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username field in the admin control panel.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 03/09/2025

The CVE-2005-3679 vulnerability represents a critical SQL injection flaw discovered in ActiveCampaign 1-2-All Broadcast Email software, specifically within the admin/index.php component. This vulnerability resides in the administrative control panel where user authentication occurs, making it particularly dangerous as it can be exploited by remote attackers to gain unauthorized access to the system. The flaw manifests when the application fails to properly sanitize user input submitted through the username field, creating an avenue for malicious actors to inject arbitrary SQL commands directly into the database query execution chain.

The technical implementation of this vulnerability stems from insufficient input validation and parameter sanitization within the application's authentication mechanism. When administrators attempt to log in through the web interface, the username value is directly incorporated into SQL queries without proper escaping or parameterization techniques. This design flaw aligns with CWE-89, which specifically addresses SQL injection vulnerabilities where untrusted data is embedded into SQL commands without adequate sanitization. Attackers can exploit this by crafting malicious username inputs containing SQL payload sequences that manipulate the underlying database queries to bypass authentication checks or execute unauthorized database operations.

The operational impact of this vulnerability extends far beyond simple authentication bypass, as successful exploitation can lead to complete system compromise and unauthorized data access. Remote attackers can leverage this vulnerability to execute arbitrary SQL commands against the database backend, potentially allowing them to extract sensitive information, modify database contents, or even escalate privileges within the application. The vulnerability affects the core administrative functionality of ActiveCampaign, making it a prime target for attackers seeking persistent access to email broadcast systems that may contain extensive user contact databases and campaign data. This represents a significant risk for organizations relying on the platform for customer communication and marketing automation.

Security mitigations for CVE-2005-3679 should focus on implementing proper input validation and parameterized query execution throughout the application's codebase. Organizations should immediately apply patches released by the software vendor or implement proper input sanitization measures that escape special SQL characters and utilize prepared statements or parameterized queries for all database interactions. The remediation process must address the root cause by ensuring that all user-supplied input, particularly in authentication fields, undergoes rigorous validation before being processed by database systems. Additionally, implementing proper access controls, network segmentation, and monitoring of authentication attempts can help detect and prevent exploitation attempts. This vulnerability demonstrates the critical importance of following secure coding practices and adheres to ATT&CK technique T1190, which involves exploiting vulnerabilities in applications to gain unauthorized access to systems. Organizations should also conduct comprehensive security assessments to identify similar injection vulnerabilities within their broader application ecosystems, as SQL injection remains one of the most prevalent and dangerous web application security threats.

Reservation

11/18/2005

Disclosure

11/18/2005

Moderation

accepted

Entry

VDB-26967

CPE

ready

Exploit

Download

EPSS

0.01265

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!