polterguy Phosphorus Five hasta 8.2 CSV Import NonQuery.cs csv.Read sql injection

ArtículoHistoryjsonxmlCTI

Una vulnerabilidad ha sido encontrada en polterguy Phosphorus Five hasta 8.2 y clasificada como crítica. La función csv.Read del archivo plugins/extras/p5.mysql/NonQuery.cs del componente CSV Import es afectada por esta vulnerabilidad. Mediante la manipulación de un input desconocido se causa una vulnerabilidad de clase sql injection. El advisory puede ser descargado de github.com. La vulnerabilidad es identificada como CVE-2018-25070. El ataque se puede llevar a cabo en la red local. Los detalles técnicos son conocidos. Fue declarado como no está definido. Una actualización a la versión 8.3 elimina esta vulnerabilidad. La actualización se puede descargar de github.com. El parche puede ser descargado de github.com. El mejor modo sugerido para mitigar el problema es actualizar a la última versión. Una solución posible ha sido publicada antes y no simplemente después de la publicación de la vulnerabilidad.

Campo	2023-01-07 11:12	2023-01-29 18:40	2023-01-29 18:47
vendor	polterguy	polterguy	polterguy
name	Phosphorus Five	Phosphorus Five	Phosphorus Five
version	<=8.2	<=8.2	<=8.2
component	CSV Import	CSV Import	CSV Import
file	plugins/extras/p5.mysql/NonQuery.cs	plugins/extras/p5.mysql/NonQuery.cs	plugins/extras/p5.mysql/NonQuery.cs
function	csv.Read	csv.Read	csv.Read
cwe	89 (sql injection)	89 (sql injection)	89 (sql injection)
risk	2	2	2
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	L	L	L
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
identifier	c179a3d0703db55cfe0cb939b89593f2e7a87246	c179a3d0703db55cfe0cb939b89593f2e7a87246	c179a3d0703db55cfe0cb939b89593f2e7a87246
url	https://github.com/polterguy/phosphorusfive/commit/c179a3d0703db55cfe0cb939b89593f2e7a87246	https://github.com/polterguy/phosphorusfive/commit/c179a3d0703db55cfe0cb939b89593f2e7a87246	https://github.com/polterguy/phosphorusfive/commit/c179a3d0703db55cfe0cb939b89593f2e7a87246
name	Upgrade	Upgrade	Upgrade
upgrade_version	8.3	8.3	8.3
upgrade_url	https://github.com/polterguy/phosphorusfive/releases/tag/v8.3	https://github.com/polterguy/phosphorusfive/releases/tag/v8.3	https://github.com/polterguy/phosphorusfive/releases/tag/v8.3
patch_name	c179a3d0703db55cfe0cb939b89593f2e7a87246	c179a3d0703db55cfe0cb939b89593f2e7a87246	c179a3d0703db55cfe0cb939b89593f2e7a87246
patch_url	https://github.com/polterguy/phosphorusfive/commit/c179a3d0703db55cfe0cb939b89593f2e7a87246	https://github.com/polterguy/phosphorusfive/commit/c179a3d0703db55cfe0cb939b89593f2e7a87246	https://github.com/polterguy/phosphorusfive/commit/c179a3d0703db55cfe0cb939b89593f2e7a87246
advisoryquote	Sanity checking column names in [p5.mysql.load-from] To avoid a maliciously malformed CSV file from creating SQL injection …	Sanity checking column names in [p5.mysql.load-from] To avoid a maliciously malformed CSV file from creating SQL injection …	Sanity checking column names in [p5.mysql.load-from] To avoid a maliciously malformed CSV file from creating SQL injection …
cve	CVE-2018-25070	CVE-2018-25070	CVE-2018-25070
responsible	VulDB	VulDB	VulDB
date	1673046000 (2023-01-07)	1673046000 (2023-01-07)	1673046000 (2023-01-07)
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	P	P	P
cvss2_vuldb_rc	C	C	C
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_av	A	A	A
cvss2_vuldb_au	S	S	S
cvss2_vuldb_e	ND	ND	ND
cvss3_vuldb_av	A	A	A
cvss3_vuldb_pr	L	L	L
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_e	X	X	X
cvss2_vuldb_basescore	5.2	5.2	5.2
cvss2_vuldb_tempscore	4.5	4.5	4.5
cvss3_vuldb_basescore	5.5	5.5	5.5
cvss3_vuldb_tempscore	5.3	5.3	5.3
cvss3_meta_basescore	5.5	5.5	6.9
cvss3_meta_tempscore	5.3	5.3	6.9
price_0day	$0-$5k	$0-$5k	$0-$5k
cve_assigned		1673046000 (2023-01-07)	1673046000 (2023-01-07)
cve_nvd_summary		A vulnerability has been found in polterguy Phosphorus Five up to 8.2 and classified as critical. This vulnerability affects the function csv.Read of the file plugins/extras/p5.mysql/NonQuery.cs of the component CSV Import. The manipulation leads to sql injection. Upgrading to version 8.3 is able to address this issue. The name of the patch is c179a3d0703db55cfe0cb939b89593f2e7a87246. It is recommended to upgrade the affected component. VDB-217606 is the identifier assigned to this vulnerability.	A vulnerability has been found in polterguy Phosphorus Five up to 8.2 and classified as critical. This vulnerability affects the function csv.Read of the file plugins/extras/p5.mysql/NonQuery.cs of the component CSV Import. The manipulation leads to sql injection. Upgrading to version 8.3 is able to address this issue. The name of the patch is c179a3d0703db55cfe0cb939b89593f2e7a87246. It is recommended to upgrade the affected component. VDB-217606 is the identifier assigned to this vulnerability.
cvss3_nvd_av			N
cvss3_nvd_ac			L
cvss3_nvd_pr			N
cvss3_nvd_ui			N
cvss3_nvd_s			U
cvss3_nvd_c			H
cvss3_nvd_i			H
cvss3_nvd_a			H
cvss2_nvd_av			A
cvss2_nvd_ac			L
cvss2_nvd_au			S
cvss2_nvd_ci			P
cvss2_nvd_ii			P
cvss2_nvd_ai			P
cvss3_cna_av			A
cvss3_cna_ac			L
cvss3_cna_pr			L
cvss3_cna_ui			N
cvss3_cna_s			U
cvss3_cna_c			L
cvss3_cna_i			L
cvss3_cna_a			L
cve_cna			VulDB
cvss2_nvd_basescore			5.2
cvss3_nvd_basescore			9.8
cvss3_cna_basescore			5.5

◂ Anterior Visión De Conjunto Próximo ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!