CVE-2012-4281
high
CVSS v3
—
CVSS v2
7.5
VIR risk
7.5
Description
Multiple SQL injection vulnerabilities in Travelon Express 6.2.2 allow remote attackers to execute arbitrary SQL commands via the hid parameter to (1) holiday.php or (2) holiday_book.php, (3) id parameter to pages.php, (4) fid parameter to admin/airline-edit.php, or (5) cid parameter to admin/customer-edit.php.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://secunia.com/advisories/49118
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| itechscripts | travelon_express | 6.2.2 | |
References
- http://secunia.com/advisories/49118
- http://www.exploit-db.com/exploits/18871
- http://www.osvdb.org/81882
- http://www.osvdb.org/81883
- http://www.osvdb.org/81884
- http://www.osvdb.org/81885
- http://www.osvdb.org/81886
- http://www.securityfocus.com/bid/53500
- http://www.vulnerability-lab.com/get_content.php?id=530
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75540
- http://secunia.com/advisories/49118
- http://www.exploit-db.com/exploits/18871
- http://www.osvdb.org/81882
- http://www.osvdb.org/81883
- http://www.osvdb.org/81884
- http://www.osvdb.org/81885
- http://www.osvdb.org/81886
- http://www.securityfocus.com/bid/53500
- http://www.vulnerability-lab.com/get_content.php?id=530
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75540
CWEs
CWE-89
Verify integrity in audit chain (admin only). AS-IS.