CVE-2012-3953
high
CVSS v3
—
CVSS v2
7.5
VIR risk
7.5
Description
SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://www.phplist.com/?lid=579
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| phplist | phplist | {"endIncluding":"2.10.18"} | |
| phplist | phplist | 2.6.5 | |
| phplist | phplist | 2.7.1 | |
| phplist | phplist | 2.7.2 | |
| phplist | phplist | 2.8.2 | |
| phplist | phplist | 2.8.7 | |
| phplist | phplist | 2.8.12 | |
| phplist | phplist | 2.10.1 | |
| phplist | phplist | 2.10.2 | |
| phplist | phplist | 2.10.3 | |
| phplist | phplist | 2.10.4 | |
| phplist | phplist | 2.10.5 | |
| phplist | phplist | 2.10.7 | |
| phplist | phplist | 2.10.8 | |
| phplist | phplist | 2.10.9 | |
| phplist | phplist | 2.10.10 | |
| phplist | phplist | 2.10.11 | |
| phplist | phplist | 2.10.12 | |
| phplist | phplist | 2.10.13 | |
| phplist | phplist | 2.10.14 | |
| phplist | phplist | 2.10.15 | |
| phplist | phplist | 2.10.16 | |
| phplist | phplist | 2.10.17 | |
References
- http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html
- http://osvdb.org/84483
- http://www.phplist.com/?lid=579
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77527
- https://www.htbridge.com/advisory/HTB23100
- http://archives.neohapsis.com/archives/bugtraq/2012-08/0059.html
- http://osvdb.org/84483
- http://www.phplist.com/?lid=579
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77527
- https://www.htbridge.com/advisory/HTB23100
CWEs
CWE-89
Verify integrity in audit chain (admin only). AS-IS.