Vulnerability CVE-2015-1471


Published: 2015-02-12   Modified: 2015-02-13

Description:
SQL injection vulnerability in userprofile.lib.php in Pragyan CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the user parameter to the default URI.

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

Vendor: Pragyan cms project
Product: Pragyan cms 
Version: 3.0;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
https://github.com/delta/pragyan/issues/206
https://github.com/delta/pragyan/commit/c93bc100ec93fc78940fbdca9b6b009101858309
http://sroesemann.blogspot.de/2015/02/advisory-for-sroeadv-2015-11.html
http://sroesemann.blogspot.de/2015/01/sroeadv-2015-11.html
http://seclists.org/oss-sec/2015/q1/402
http://seclists.org/fulldisclosure/2015/Feb/18
http://pastebin.com/ip2gGYuS

Copyright 2017, cxsecurity.com