ForumHulp searchresults event/listener.php list_keywords word Injecção SQL

Uma vulnerabilidade foi encontrada em ForumHulp searchresults. Foi classificada como crítico. Afectado é a função list_keywords do ficheiro event/listener.php. A manipulação do argumento word com uma entrada desconhecida leva a Injecção SQL. Usar a CWE para declarar o problema leva à CWE-89. O aconselhamento é partilhado para download em github.com. A vulnerabilidade é identificada como CVE-2016-15013. O ataque pode ser levado a cabo na rede local. Os detalhes técnicos estão disponíveis. Não há nenhuma exploração disponível. O projecto MITRE ATT&CK declara a técnica de ataque como T1505. É declarado como não definido. Como 0 dia, o preço estimado do subsolo foi de cerca de $0-$5k. O nome do adesivo é dd8a312bb285ad9735a8e1da58e9e955837b7322. O bugfix está pronto para download em github.com. Recomenda-se a aplicação de um remendo para resolver este problema.

Campo07/01/2023 20h3630/01/2023 02h0030/01/2023 02h08
vendorForumHulpForumHulpForumHulp
namesearchresultssearchresultssearchresults
fileevent/listener.phpevent/listener.phpevent/listener.php
functionlist_keywordslist_keywordslist_keywords
argumentwordwordword
cwe89 (Injecção SQL)89 (Injecção SQL)89 (Injecção SQL)
risk222
cvss3_vuldb_acLLL
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
urlhttps://github.com/ForumHulp/searchresults/pull/2https://github.com/ForumHulp/searchresults/pull/2https://github.com/ForumHulp/searchresults/pull/2
namePatchPatchPatch
patch_namedd8a312bb285ad9735a8e1da58e9e955837b7322dd8a312bb285ad9735a8e1da58e9e955837b7322dd8a312bb285ad9735a8e1da58e9e955837b7322
patch_urlhttps://github.com/ForumHulp/searchresults/commit/dd8a312bb285ad9735a8e1da58e9e955837b7322https://github.com/ForumHulp/searchresults/commit/dd8a312bb285ad9735a8e1da58e9e955837b7322https://github.com/ForumHulp/searchresults/commit/dd8a312bb285ad9735a8e1da58e9e955837b7322
advisoryquoteThis would fix a Major SQL Injection Flaw. I guess the $this->db->sql_escape is the right function.This would fix a Major SQL Injection Flaw. I guess the $this->db->sql_escape is the right function.This would fix a Major SQL Injection Flaw. I guess the $this->db->sql_escape is the right function.
cveCVE-2016-15013CVE-2016-15013CVE-2016-15013
responsibleVulDBVulDBVulDB
date1673046000 (07/01/2023)1673046000 (07/01/2023)1673046000 (07/01/2023)
typeForum SoftwareForum SoftwareForum Software
cvss2_vuldb_acLLL
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_avAAA
cvss2_vuldb_auSSS
cvss2_vuldb_eNDNDND
cvss3_vuldb_avAAA
cvss3_vuldb_prLLL
cvss3_vuldb_uiNNN
cvss3_vuldb_eXXX
cvss2_vuldb_basescore5.25.25.2
cvss2_vuldb_tempscore4.54.54.5
cvss3_vuldb_basescore5.55.55.5
cvss3_vuldb_tempscore5.35.35.3
cvss3_meta_basescore5.55.56.9
cvss3_meta_tempscore5.35.36.9
price_0day$0-$5k$0-$5k$0-$5k
identifierdd8a312bb285ad9735a8e1da58e9e955837b7322dd8a312bb285ad9735a8e1da58e9e955837b7322
cve_assigned1673046000 (07/01/2023)1673046000 (07/01/2023)
cve_nvd_summaryA vulnerability was found in ForumHulp searchresults. It has been rated as critical. Affected by this issue is the function list_keywords of the file event/listener.php. The manipulation of the argument word leads to sql injection. The name of the patch is dd8a312bb285ad9735a8e1da58e9e955837b7322. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217628.A vulnerability was found in ForumHulp searchresults. It has been rated as critical. Affected by this issue is the function list_keywords of the file event/listener.php. The manipulation of the argument word leads to sql injection. The name of the patch is dd8a312bb285ad9735a8e1da58e9e955837b7322. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217628.
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prN
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss2_nvd_avA
cvss2_nvd_acL
cvss2_nvd_auS
cvss2_nvd_ciP
cvss2_nvd_iiP
cvss2_nvd_aiP
cvss3_cna_avA
cvss3_cna_acL
cvss3_cna_prL
cvss3_cna_uiN
cvss3_cna_sU
cvss3_cna_cL
cvss3_cna_iL
cvss3_cna_aL
cve_cnaVulDB
cvss2_nvd_basescore5.2
cvss3_nvd_basescore9.8
cvss3_cna_basescore5.5

VoltarVisão GeralPróximo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!