Vulnerability CVE-2008-6383


Published: 2009-03-02   Modified: 2012-02-12

Description:
SQL injection vulnerability in SpeedTech Organization and Resource Manager (Storm) 5.x before 5.x-1.14 and 6.x before 6.x-1.18, a module for Drupal, allows remote authenticated users with storm project access to execute arbitrary SQL commands via unspecified vectors.

Vendor: Drupal
Product: Storm 
Version:
6.x-1.x-dev
6.x-1.9
6.x-1.8
6.x-1.7
6.x-1.6
6.x-1.5
6.x-1.4
6.x-1.3
6.x-1.2
6.x-1.17
6.x-1.16
6.x-1.15
6.x-1.14
6.x-1.13
6.x-1.12
6.x-1.11
6.x-1.10
6.x-1.1
6.x-1.0
5.x-1.x-dev
5.x-1.9
5.x-1.8
5.x-1.7
5.x-1.6
5.x-1.5
5.x-1.4
5.x-1.3
5.x-1.2
5.x-1.13
5.x-1.12
5.x-1.11
5.x-1.10
5.x-1.1

CVSS2 => (AV:N/AC:M/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6/10
6.4/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://drupal.org/node/342246
http://www.securityfocus.com/bid/32626
https://exchange.xforce.ibmcloud.com/vulnerabilities/47077

Related CVE
CVE-2019-11876
In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and ...
CVE-2019-10909
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the n...
CVE-2019-6341
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) ...
CVE-2019-6340
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following co...
CVE-2019-6339
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code...
CVE-2017-6923
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is m...
CVE-2017-6922
In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rathe...

Copyright 2019, cxsecurity.com

 

Back to Top