CVE-2013-2945 - OpenCVE

SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
B2evolution	B2evolution

Configuration 1 [-]

OR	cpe:2.3:a:b2evolution:b2evolution::::::::
	cpe:2.3:a:b2evolution:b2evolution:4.1.0:::::::*
	cpe:2.3:a:b2evolution:b2evolution:4.1.1:::::::*
	cpe:2.3:a:b2evolution:b2evolution:4.1.2:::::::*
	cpe:2.3:a:b2evolution:b2evolution:4.1.3:::::::*
	cpe:2.3:a:b2evolution:b2evolution:4.1.4:::::::*
	cpe:2.3:a:b2evolution:b2evolution:4.1.5:::::::*

No data.

References

Link	Providers
http://archives.neohapsis.com/archives/bugtraq/2013-05/0004.html
http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3
http://osvdb.org/92905
http://packetstormsecurity.com/files/121481/b2evolution-4.1.6-SQL-Injection.html
http://www.securityfocus.com/bid/59599
https://exchange.xforce.ibmcloud.com/vulnerabilities/83950
https://www.htbridge.com/advisory/HTB23152

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-04-02T15:00:00

Updated: 2024-08-06T15:52:21.590Z

Reserved: 2013-04-11T00:00:00

Link: CVE-2013-2945

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-04-02T16:17:06.697

Modified: 2017-08-29T01:33:17.340

Link: CVE-2013-2945

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-05-01T00:00:00", "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20130501 SQL Injection in b2evolution", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://archives.neohapsis.com/archives/bugtraq/2013-05/0004.html"}, {"name": "b2evolution-admin-sql-injection(83950)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83950"}, {"name": "59599", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/59599"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/121481/b2evolution-4.1.6-SQL-Injection.html"}, {"name": "92905", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/92905"}, {"tags": ["x_refsource_MISC"], "url": "http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3"}, {"tags": ["x_refsource_MISC"], "url": "https://www.htbridge.com/advisory/HTB23152"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-2945", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20130501 SQL Injection in b2evolution", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2013-05/0004.html"}, {"name": "b2evolution-admin-sql-injection(83950)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83950"}, {"name": "59599", "refsource": "BID", "url": "http://www.securityfocus.com/bid/59599"}, {"name": "http://packetstormsecurity.com/files/121481/b2evolution-4.1.6-SQL-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/121481/b2evolution-4.1.6-SQL-Injection.html"}, {"name": "92905", "refsource": "OSVDB", "url": "http://osvdb.org/92905"}, {"name": "http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3", "refsource": "MISC", "url": "http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3"}, {"name": "https://www.htbridge.com/advisory/HTB23152", "refsource": "MISC", "url": "https://www.htbridge.com/advisory/HTB23152"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T15:52:21.590Z"}, "title": "CVE Program Container", "references": [{"name": "20130501 SQL Injection in b2evolution", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://archives.neohapsis.com/archives/bugtraq/2013-05/0004.html"}, {"name": "b2evolution-admin-sql-injection(83950)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83950"}, {"name": "59599", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/59599"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/121481/b2evolution-4.1.6-SQL-Injection.html"}, {"name": "92905", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/92905"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.htbridge.com/advisory/HTB23152"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-2945", "datePublished": "2014-04-02T15:00:00", "dateReserved": "2013-04-11T00:00:00", "dateUpdated": "2024-08-06T15:52:21.590Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:b2evolution:b2evolution:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B95D379-00DA-41FA-BD90-7A298DC799FD", "versionEndIncluding": "4.1.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:b2evolution:b2evolution:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "744254C5-B523-4B8F-93B4-BE440F45D0FC", "vulnerable": true}, {"criteria": "cpe:2.3:a:b2evolution:b2evolution:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "5634AF1D-1F2F-41A0-8799-128FD246A55F", "vulnerable": true}, {"criteria": "cpe:2.3:a:b2evolution:b2evolution:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "FD69355B-C450-46E8-B693-8AA3A44BD73C", "vulnerable": true}, {"criteria": "cpe:2.3:a:b2evolution:b2evolution:4.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "C1C718A7-E2EB-4881-98D4-919A32C17DF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:b2evolution:b2evolution:4.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "39CF7F8F-F078-413E-B36D-268703DC185B", "vulnerable": true}, {"criteria": "cpe:2.3:a:b2evolution:b2evolution:4.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "E2F17ABF-1DBB-4C68-BB91-A1FC2F6AA0A6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en blogs/admin.php en b2evolution anterior a 4.1.7 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro show_statuses[]. NOTA: esto puede ser aprovechado utilizando CSRF para permitir a atacantes no autenticados ejecutar comandos SQL arbitrarios."}], "id": "CVE-2013-2945", "lastModified": "2017-08-29T01:33:17.340", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-02T16:17:06.697", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://archives.neohapsis.com/archives/bugtraq/2013-05/0004.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/92905"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/121481/b2evolution-4.1.6-SQL-Injection.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/59599"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83950"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.htbridge.com/advisory/HTB23152"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}