Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-9528

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2014-9528
Last Modified 06 Jan 2015 02:58:00
Published 06 Jan 2015 10:59:06
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2014-9528

Summary

SQL injection vulnerability in the actionIndex function in protected/modules_core/notification/controllers/ListController.php in HumHub 0.10.0-rc.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the from parameter to index.php. NOTE: this can be leveraged for cross-site scripting (XSS) attacks via a request that causes an error.

Vulnerable Systems

Application

  • Humhub 0.10.0


References

CONFIRM - https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4

XF - humhub-listcontroller-sql-injection(99272)

EXPLOIT-DB - 35510

FULLDISC - 20141209 Humhub SQL injection and multiple persistent XSS vulnerabilities

MISC - http://packetstormsecurity.com/files/129440/Humhub-0.10.0-rc.1-Cross-Site-Scripting-SQL-Injection.html


Last Updated: 27 May 2016 11:07:27