slackero phpwcms до 1.9.26 $phpwcms['db_prepend'] sql-инъекция

ВходИсторияjsonxmlCTI

Уязвимость была найдена в slackero phpwcms до 1.9.26. Она была объявлена как критический. Затронута неизвестная функция. Использование CWE для объявления проблемы приводит к тому, что CWE-89. Консультация доступна по адресу github.com. Эта уязвимость обрабатывается как CVE-2021-4301. Атаку можно инициировать удаленно. Имеются технические подробности. Эксплойт отсутствует. Текущая цена за эксплойт может составлять около USD $0-$5k в настоящее время. Этой уязвимости присвоен номер T1505 проектом MITRE ATT&CK. Объявляется Не определено. В 0-дневный период предполагаемая подземная цена составляла около $0-$5k. Обновление до версии 1.9.27 способно решить эту проблему. Обновленную версию можно скачать по адресу github.com. Название патча следующее 77dafb6a8cc1015f0777daeb5792f43beef77a9d. Исправление готово для загрузки по адресу github.com. Рекомендуется обновить затронутый компонент.

Поле	28.01.2023 11:38	28.01.2023 11:46	28.01.2023 11:54
vendor	slackero	slackero	slackero
name	phpwcms	phpwcms	phpwcms
version	<=1.9.26	<=1.9.26	<=1.9.26
argument	$phpwcms['db_prepend']	$phpwcms['db_prepend']	$phpwcms['db_prepend']
cwe	89 (sql-инъекция)	89 (sql-инъекция)	89 (sql-инъекция)
risk	2	2	2
cvss3_vuldb_av	N	N	N
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	L	L	L
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
identifier	77dafb6a8cc1015f0777daeb5792f43beef77a9d	77dafb6a8cc1015f0777daeb5792f43beef77a9d	77dafb6a8cc1015f0777daeb5792f43beef77a9d
url	https://github.com/slackero/phpwcms/commit/77dafb6a8cc1015f0777daeb5792f43beef77a9d	https://github.com/slackero/phpwcms/commit/77dafb6a8cc1015f0777daeb5792f43beef77a9d	https://github.com/slackero/phpwcms/commit/77dafb6a8cc1015f0777daeb5792f43beef77a9d
name	Обновление	Обновление	Обновление
upgrade_version	1.9.27	1.9.27	1.9.27
upgrade_url	https://github.com/slackero/phpwcms/releases/tag/v1.9.27	https://github.com/slackero/phpwcms/releases/tag/v1.9.27	https://github.com/slackero/phpwcms/releases/tag/v1.9.27
patch_name	77dafb6a8cc1015f0777daeb5792f43beef77a9d	77dafb6a8cc1015f0777daeb5792f43beef77a9d	77dafb6a8cc1015f0777daeb5792f43beef77a9d
patch_url	https://github.com/slackero/phpwcms/commit/77dafb6a8cc1015f0777daeb5792f43beef77a9d	https://github.com/slackero/phpwcms/commit/77dafb6a8cc1015f0777daeb5792f43beef77a9d	https://github.com/slackero/phpwcms/commit/77dafb6a8cc1015f0777daeb5792f43beef77a9d
advisoryquote	Prevent $phpwcms['db_prepend'] from SQL injection	Prevent $phpwcms['db_prepend'] from SQL injection	Prevent $phpwcms['db_prepend'] from SQL injection
cve	CVE-2021-4301	CVE-2021-4301	CVE-2021-4301
responsible	VulDB	VulDB	VulDB
date	1672786800 (04.01.2023)	1672786800 (04.01.2023)	1672786800 (04.01.2023)
cvss2_vuldb_av	N	N	N
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	P	P	P
cvss2_vuldb_rc	C	C	C
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_au	S	S	S
cvss2_vuldb_e	ND	ND	ND
cvss3_vuldb_pr	L	L	L
cvss3_vuldb_e	X	X	X
cvss2_vuldb_basescore	6.5	6.5	6.5
cvss2_vuldb_tempscore	5.7	5.7	5.7
cvss3_vuldb_basescore	6.3	6.3	6.3
cvss3_vuldb_tempscore	6.0	6.0	6.0
cvss3_meta_basescore	6.3	7.5	7.5
cvss3_meta_tempscore	6.0	7.4	7.4
price_0day	$0-$5k	$0-$5k	$0-$5k
type	Content Management System	Content Management System	Content Management System
cve_assigned	1672786800 (04.01.2023)	1672786800 (04.01.2023)	1672786800 (04.01.2023)
cve_nvd_summary	A vulnerability was found in slackero phpwcms up to 1.9.26 and classified as critical. Affected by this issue is some unknown functionality. The manipulation of the argument $phpwcms['db_prepend'] leads to sql injection. The attack may be launched remotely. Upgrading to version 1.9.27 is able to address this issue. The name of the patch is 77dafb6a8cc1015f0777daeb5792f43beef77a9d. It is recommended to upgrade the affected component. VDB-217418 is the identifier assigned to this vulnerability.	A vulnerability was found in slackero phpwcms up to 1.9.26 and classified as critical. Affected by this issue is some unknown functionality. The manipulation of the argument $phpwcms['db_prepend'] leads to sql injection. The attack may be launched remotely. Upgrading to version 1.9.27 is able to address this issue. The name of the patch is 77dafb6a8cc1015f0777daeb5792f43beef77a9d. It is recommended to upgrade the affected component. VDB-217418 is the identifier assigned to this vulnerability.	A vulnerability was found in slackero phpwcms up to 1.9.26 and classified as critical. Affected by this issue is some unknown functionality. The manipulation of the argument $phpwcms['db_prepend'] leads to sql injection. The attack may be launched remotely. Upgrading to version 1.9.27 is able to address this issue. The name of the patch is 77dafb6a8cc1015f0777daeb5792f43beef77a9d. It is recommended to upgrade the affected component. VDB-217418 is the identifier assigned to this vulnerability.
cvss3_nvd_av		N	N
cvss3_nvd_ac		L	L
cvss3_nvd_pr		N	N
cvss3_nvd_ui		N	N
cvss3_nvd_s		U	U
cvss3_nvd_c		H	H
cvss3_nvd_i		H	H
cvss3_nvd_a		H	H
cvss2_nvd_av		N	N
cvss2_nvd_ac		L	L
cvss2_nvd_au		S	S
cvss2_nvd_ci		P	P
cvss2_nvd_ii		P	P
cvss2_nvd_ai		P	P
cvss3_cna_av		N	N
cvss3_cna_ac		L	L
cvss3_cna_pr		L	L
cvss3_cna_ui		N	N
cvss3_cna_s		U	U
cvss3_cna_c		L	L
cvss3_cna_i		L	L
cvss3_cna_a		L	L
cve_cna		VulDB	VulDB
cvss2_nvd_basescore		6.5	6.5
cvss3_nvd_basescore		9.8	9.8
cvss3_cna_basescore		6.3	6.3

◂ Предыдущий Обзор Далее ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!