Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2015-1428

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2015-1428
Last Modified 04 Feb 2015 11:59:21
Published 03 Feb 2015 11:59:23
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2015-1428

Summary

Multiple SQL injection vulnerabilities in Sefrengo before 1.6.2 allow (1) remote attackers to execute arbitrary SQL commands via the sefrengo cookie in a login to backend/main.php or (2) remote authenticated users to execute arbitrary SQL commands via the value_id parameter in a save_value action to backend/main.php.

Vulnerable Systems

Application

  • Sefrengo 1.6.1


References

MISC - https://github.com/sefrengo-cms/sefrengo-1.x/commit/22c0d16bfd715631ed317cc990785ccede478f07

MISC - https://github.com/sefrengo-cms/sefrengo-1.x/commit/0b1edd4b22a47743eff7cfaf884ba2a4e06e15eb

BUGTRAQ - 20150202 Sefrengo CMS v1.6.1 - Multiple SQL Injection Vulnerabilities

MISC - http://www.itas.vn/news/itas-team-found-out-multiple-sql-injection-vulnerabilities-in-sefrengo-cms-v1-6-1-74.html

EXPLOIT-DB - 35972


Last Updated: 27 May 2016 11:07:42