Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-2734

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2009-2734
Last Modified 16 Oct 2009 01:45:54
Published 16 Oct 2009 12:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2009-2734

Summary

SQL injection vulnerability in the get_employee function in classweekreport.inc in Achievo before 1.4.0 allows remote attackers to execute arbitrary SQL commands via the userid parameter (aka user_id variable) to dispatch.php.

Vulnerable Systems

Application

  • Achievo 0.7.0

  • Achievo 0.7.1

  • Achievo 0.7.2

  • Achievo 0.7.3

  • Achievo 0.8.0

  • Achievo 0.8.0 Rc1

  • Achievo 0.8.0 Rc2

  • Achievo 0.8.1

  • Achievo 0.9.0

  • Achievo 0.9.1

  • Achievo 1.0.0

  • Achievo 1.0.1

  • Achievo 1.0.2

  • Achievo 1.0.3

  • Achievo 1.0.4

  • Achievo 1.1.0

  • Achievo 1.2.0

  • Achievo 1.2.1

  • Achievo 1.3.0

  • Achievo 1.3.1

  • Achievo 1.3.2

  • Achievo 1.3.3

  • Achievo 1.3.4


References

CONFIRM - http://www.achievo.org/download/releasenotes/1_4_0

XF - achievo-dispatch-sql-injection(53743)

BID - 36660

BUGTRAQ - 20091013 [BONSAI] SQL Injection in Achievo

MISC - http://www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt

SECTRACK - 1023017

SECUNIA - 37035


Last Updated: 27 May 2016 10:51:00