Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-2740

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2012-2740
Last Modified 13 Sep 2012 12:00:00
Published 06 Sep 2012 01:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-2740

Summary

SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action.

Vulnerable Systems

Application

  • Phplist 2.10.1

  • Phplist 2.10.10

  • Phplist 2.10.11

  • Phplist 2.10.12

  • Phplist 2.10.13

  • Phplist 2.10.14

  • Phplist 2.10.15

  • Phplist 2.10.16

  • Phplist 2.10.17

  • Phplist 2.10.2

  • Phplist 2.10.3

  • Phplist 2.10.4

  • Phplist 2.10.5

  • Phplist 2.10.7

  • Phplist 2.10.8

  • Phplist 2.10.9


References

CONFIRM - https://www.phplist.com/?lid=567

MISC - https://mantis.phplist.com/view.php?id=16557

MISC - http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php

BID - 52657

MLIST - [oss-security] 20120616 Re: CVE request: phplist before 2.10.18 XSS and sql injection

MLIST - [oss-security] 20120616 CVE request: phplist before 2.10.18 XSS and sql injection

EXPLOIT-DB - 18639

SECTRACK - 1027181


Last Updated: 27 May 2016 11:00:28