Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2015-1442

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2015-1442
Last Modified 09 Feb 2015 09:14:34
Published 06 Feb 2015 10:59:13
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2015-1442

Summary

SQL injection vulnerability in views/zero_transact_user.php in the administrative backend in ZeroCMS 1.3.3, 1.3.2, and earlier allows remote authenticated users to execute arbitrary SQL commands via the user_id parameter in a Modify Account action. NOTE: The article_id parameter to zero_view_article.php vector is already covered by CVE-2014-4034.

Vulnerable Systems

Application

  • Aas9 Zerocms 1.3.2

  • Aas9 Zerocms 1.3.3


References

BID - 72398

MISC - http://sroesemann.blogspot.de/2015/02/addition-for-advisory-sroeadv-2015-14.html

MISC - http://sroesemann.blogspot.de/2015/01/sroeadv-2015-13.html

MISC - http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-14.html

MLIST - [oss-security] 20150201 Re: CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities

MLIST - [oss-security] 20150201 CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities

FULLDISC - 20150201 SQL injection vulnerabilities in zerocms <= v.1.3.3

MISC - http://packetstormsecurity.com/files/130192/ZeroCMS-1.3.3-SQL-Injection.html


Last Updated: 27 May 2016 11:07:43