CVE-2014-1636

Sažetak

Multiple SQL injection vulnerabilities in Command School Student Management System 1.06.01 allow remote attackers to execute arbitrary SQL commands via the id parameter in an edit action to (1) admin_school_names.php, (2) admin_subjects.php, (3) admin_grades.php, (4) admin_terms.php, (5) admin_school_years.php, (6) admin_sgrades.php, (7) admin_media_codes_1.php, (8) admin_infraction_codes.php, (9) admin_generations.php, (10) admin_relations.php, (11) admin_titles.php, or (12) health_allergies.php in sw/.

Reference

http://osvdb.org/101874
http://osvdb.org/101875
http://osvdb.org/101876
http://osvdb.org/101877
http://osvdb.org/101878
http://osvdb.org/101879
http://osvdb.org/101880
http://osvdb.org/101881
http://osvdb.org/101882
http://osvdb.org/101883
http://osvdb.org/101884
http://osvdb.org/101885
http://packetstormsecurity.com/files/124708/Command-School-Student-Management-System-1.06.01-SQL-Injection-CSRF-XSS.html
http://www.securityfocus.com/bid/64707
https://exchange.xforce.ibmcloud.com/vulnerabilities/90175

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

30-10-2018 - 16:26

Objavljeno

22-01-2014 - 19:55