CVE-2014-100012 in Sendyinfo

Summary

by MITRE

SQL injection vulnerability in /app in Sendy 1.1.8.4 allows remote attackers to execute arbitrary SQL commands via the i parameter.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/21/2025

This vulnerability exists within the Sendy email marketing platform version 1.1.8.4 where a SQL injection flaw is present in the application's handling of the i parameter within the /app directory. The flaw stems from inadequate input validation and sanitization mechanisms that fail to properly escape or filter user-supplied data before incorporating it into database queries. Attackers can exploit this weakness by crafting malicious payloads in the i parameter that manipulate the underlying SQL execution flow. The vulnerability falls under CWE-89 which specifically addresses SQL injection flaws where untrusted data is directly included in SQL command strings without proper sanitization. This allows adversaries to execute arbitrary SQL commands on the database server, potentially gaining unauthorized access to sensitive information including user credentials, email lists, and system configurations.

The operational impact of this vulnerability extends beyond simple data theft as it provides attackers with the capability to manipulate database contents, create backdoor accounts, modify system parameters, and potentially escalate privileges within the application environment. Remote attackers can leverage this vulnerability without requiring authentication to the system, making it particularly dangerous for web applications that handle sensitive user data. The attack vector specifically targets the i parameter which suggests that the vulnerability may be present in application components that handle identifiers or internal references, commonly used in database operations. This vulnerability aligns with ATT&CK technique T1071.005 which covers application layer protocol manipulation and T1190 which addresses exploitation of remote services.

Mitigation strategies should focus on implementing proper input validation and parameterized queries to prevent user-supplied data from being interpreted as SQL commands. The recommended approach involves using prepared statements with bound parameters instead of dynamic SQL construction, ensuring that all inputs are properly escaped or validated before database interaction. Additionally, implementing proper access controls and database user permissions can limit the damage from successful exploitation attempts. Regular security updates and patch management should be enforced to address similar vulnerabilities in the application ecosystem. The fix should include sanitizing all user inputs through proper encoding mechanisms and implementing proper error handling that does not reveal database structure information to unauthorized users. Organizations should also consider implementing web application firewalls and intrusion detection systems to monitor for suspicious SQL injection patterns in network traffic.

Reservation

01/13/2015

Disclosure

01/13/2015

Moderation

accepted

Entry

VDB-73602

CPE

ready

Exploit

Download

EPSS

0.01203

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!