fanzila WebFinance 0.5 save_roles.php id SQL注入

fanzila WebFinance 0.5中曾发现一漏洞,此漏洞被分类为致命。 受影响的是未知功能文件:htdocs/admin/save_roles.php。 手动调试的软件参数:id不合法输入可导致 SQL注入。 使用CWE来声明会导致 CWE-89 的问题。 此漏洞的脆弱性 2023-02-02公示人身份6cfeb2f6b35c1b3a7320add07cd0493e4f752af3、所发布。 公告共享下载网址是github.com。 该漏洞的交易名称为CVE-2013-10017, 攻击需要在局域网内进行。 有技术细节可用。 没有可利用漏洞。 漏洞利用的当前现价为美元计算大致为USD $0-$5k。 MITRE ATT&CK项目声明攻击技术为T1505。 它被宣布为未定义。 估计零日攻击的地下价格约为$0-$5k。 补丁名称为6cfeb2f6b35c1b3a7320add07cd0493e4f752af3。 错误修复程序下载地址为github.com, 建议采用一个补丁来修正此问题。 该漏洞被披露后,远在此前发表过可能的缓解措施。

字段2023-02-02 20時53分2023-03-04 08時55分2023-03-04 08時58分
vendorfanzilafanzilafanzila
nameWebFinanceWebFinanceWebFinance
version0.50.50.5
filehtdocs/admin/save_roles.phphtdocs/admin/save_roles.phphtdocs/admin/save_roles.php
argumentididid
cwe89 (SQL注入)89 (SQL注入)89 (SQL注入)
risk222
cvss3_vuldb_acLLL
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
identifier6cfeb2f6b35c1b3a7320add07cd0493e4f752af36cfeb2f6b35c1b3a7320add07cd0493e4f752af36cfeb2f6b35c1b3a7320add07cd0493e4f752af3
urlhttps://github.com/fanzila/WebFinance/commit/6cfeb2f6b35c1b3a7320add07cd0493e4f752af3https://github.com/fanzila/WebFinance/commit/6cfeb2f6b35c1b3a7320add07cd0493e4f752af3https://github.com/fanzila/WebFinance/commit/6cfeb2f6b35c1b3a7320add07cd0493e4f752af3
name补丁补丁补丁
patch_name6cfeb2f6b35c1b3a7320add07cd0493e4f752af36cfeb2f6b35c1b3a7320add07cd0493e4f752af36cfeb2f6b35c1b3a7320add07cd0493e4f752af3
patch_urlhttps://github.com/fanzila/WebFinance/commit/6cfeb2f6b35c1b3a7320add07cd0493e4f752af3https://github.com/fanzila/WebFinance/commit/6cfeb2f6b35c1b3a7320add07cd0493e4f752af3https://github.com/fanzila/WebFinance/commit/6cfeb2f6b35c1b3a7320add07cd0493e4f752af3
advisoryquotehtdocs/admin/save_roles.php: fixed SQL injection, yet againhtdocs/admin/save_roles.php: fixed SQL injection, yet againhtdocs/admin/save_roles.php: fixed SQL injection, yet again
cveCVE-2013-10017CVE-2013-10017CVE-2013-10017
responsibleVulDBVulDBVulDB
date1675292400 (2023-02-02)1675292400 (2023-02-02)1675292400 (2023-02-02)
typeFinancial SoftwareFinancial SoftwareFinancial Software
cvss2_vuldb_acLLL
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_avAAA
cvss2_vuldb_auSSS
cvss2_vuldb_eNDNDND
cvss3_vuldb_avAAA
cvss3_vuldb_prLLL
cvss3_vuldb_eXXX
cvss2_vuldb_basescore5.25.25.2
cvss2_vuldb_tempscore4.54.54.5
cvss3_vuldb_basescore5.55.55.5
cvss3_vuldb_tempscore5.35.35.3
cvss3_meta_basescore5.55.56.9
cvss3_meta_tempscore5.35.36.9
price_0day$0-$5k$0-$5k$0-$5k
cve_assigned1675292400 (2023-02-02)1675292400 (2023-02-02)
cve_nvd_summaryA vulnerability was found in fanzila WebFinance 0.5. It has been classified as critical. Affected is an unknown function of the file htdocs/admin/save_roles.php. The manipulation of the argument id leads to sql injection. The name of the patch is 6cfeb2f6b35c1b3a7320add07cd0493e4f752af3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-220056.A vulnerability was found in fanzila WebFinance 0.5. It has been classified as critical. Affected is an unknown function of the file htdocs/admin/save_roles.php. The manipulation of the argument id leads to sql injection. The name of the patch is 6cfeb2f6b35c1b3a7320add07cd0493e4f752af3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-220056.
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prN
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss2_nvd_avA
cvss2_nvd_acL
cvss2_nvd_auS
cvss2_nvd_ciP
cvss2_nvd_iiP
cvss2_nvd_aiP
cvss3_cna_avA
cvss3_cna_acL
cvss3_cna_prL
cvss3_cna_uiN
cvss3_cna_sU
cvss3_cna_cL
cvss3_cna_iL
cvss3_cna_aL
cve_cnaVulDB
cvss2_nvd_basescore5.2
cvss3_nvd_basescore9.8
cvss3_cna_basescore5.5

上一步一览下一步

Interested in the pricing of exploits?

See the underground prices here!