CVE-2018-25071 - OpenCVE

A vulnerability was found in roxlukas LMeve up to 0.1.58. It has been rated as critical. Affected by this issue is the function insert_log of the file wwwroot/ccpwgl/proxy.php. The manipulation of the argument fetch leads to sql injection. Upgrading to version 0.1.59-beta is able to address this issue. The patch is identified as c25ff7fe83a2cda1fcb365b182365adc3ffae332. It is recommended to upgrade the affected component. VDB-217610 is the identifier assigned to this vulnerability.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lmeve Project	Lmeve

Configuration 1 [-]

cpe:2.3:a:lmeve_project:lmeve:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/roxlukas/lmeve/commit/c25ff7fe83a2cda1fcb365b182365adc3ffae332
https://github.com/roxlukas/lmeve/releases/tag/0.1.59-beta
https://vuldb.com/?ctiid.217610
https://vuldb.com/?id.217610

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2023-01-07T11:28:15.497Z

Updated: 2024-08-05T12:33:47.765Z

Reserved: 2023-01-07T11:27:50.644Z

Link: CVE-2018-25071

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-07T12:15:08.900

Modified: 2024-05-17T01:27:28.220

Link: CVE-2018-25071

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2018-25071", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2023-01-07T11:27:50.644Z", "datePublished": "2023-01-07T11:28:15.497Z", "dateUpdated": "2024-08-05T12:33:47.765Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2023-10-20T12:25:05.864Z"}, "title": "roxlukas LMeve proxy.php insert_log sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 SQL Injection"}]}], "affected": [{"vendor": "roxlukas", "product": "LMeve", "versions": [{"version": "0.1.0", "status": "affected"}, {"version": "0.1.1", "status": "affected"}, {"version": "0.1.2", "status": "affected"}, {"version": "0.1.3", "status": "affected"}, {"version": "0.1.4", "status": "affected"}, {"version": "0.1.5", "status": "affected"}, {"version": "0.1.6", "status": "affected"}, {"version": "0.1.7", "status": "affected"}, {"version": "0.1.8", "status": "affected"}, {"version": "0.1.9", "status": "affected"}, {"version": "0.1.10", "status": "affected"}, {"version": "0.1.11", "status": "affected"}, {"version": "0.1.12", "status": "affected"}, {"version": "0.1.13", "status": "affected"}, {"version": "0.1.14", "status": "affected"}, {"version": "0.1.15", "status": "affected"}, {"version": "0.1.16", "status": "affected"}, {"version": "0.1.17", "status": "affected"}, {"version": "0.1.18", "status": "affected"}, {"version": "0.1.19", "status": "affected"}, {"version": "0.1.20", "status": "affected"}, {"version": "0.1.21", "status": "affected"}, {"version": "0.1.22", "status": "affected"}, {"version": "0.1.23", "status": "affected"}, {"version": "0.1.24", "status": "affected"}, {"version": "0.1.25", "status": "affected"}, {"version": "0.1.26", "status": "affected"}, {"version": "0.1.27", "status": "affected"}, {"version": "0.1.28", "status": "affected"}, {"version": "0.1.29", "status": "affected"}, {"version": "0.1.30", "status": "affected"}, {"version": "0.1.31", "status": "affected"}, {"version": "0.1.32", "status": "affected"}, {"version": "0.1.33", "status": "affected"}, {"version": "0.1.34", "status": "affected"}, {"version": "0.1.35", "status": "affected"}, {"version": "0.1.36", "status": "affected"}, {"version": "0.1.37", "status": "affected"}, {"version": "0.1.38", "status": "affected"}, {"version": "0.1.39", "status": "affected"}, {"version": "0.1.40", "status": "affected"}, {"version": "0.1.41", "status": "affected"}, {"version": "0.1.42", "status": "affected"}, {"version": "0.1.43", "status": "affected"}, {"version": "0.1.44", "status": "affected"}, {"version": "0.1.45", "status": "affected"}, {"version": "0.1.46", "status": "affected"}, {"version": "0.1.47", "status": "affected"}, {"version": "0.1.48", "status": "affected"}, {"version": "0.1.49", "status": "affected"}, {"version": "0.1.50", "status": "affected"}, {"version": "0.1.51", "status": "affected"}, {"version": "0.1.52", "status": "affected"}, {"version": "0.1.53", "status": "affected"}, {"version": "0.1.54", "status": "affected"}, {"version": "0.1.55", "status": "affected"}, {"version": "0.1.56", "status": "affected"}, {"version": "0.1.57", "status": "affected"}, {"version": "0.1.58", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in roxlukas LMeve up to 0.1.58. It has been rated as critical. Affected by this issue is the function insert_log of the file wwwroot/ccpwgl/proxy.php. The manipulation of the argument fetch leads to sql injection. Upgrading to version 0.1.59-beta is able to address this issue. The patch is identified as c25ff7fe83a2cda1fcb365b182365adc3ffae332. It is recommended to upgrade the affected component. VDB-217610 is the identifier assigned to this vulnerability."}, {"lang": "de", "value": "Eine kritische Schwachstelle wurde in roxlukas LMeve bis 0.1.58 ausgemacht. Davon betroffen ist die Funktion insert_log der Datei wwwroot/ccpwgl/proxy.php. Durch Manipulieren des Arguments fetch mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Ein Aktualisieren auf die Version 0.1.59-beta vermag dieses Problem zu l\u00f6sen. Der Patch wird als c25ff7fe83a2cda1fcb365b182365adc3ffae332 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.2, "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P"}}], "timeline": [{"time": "2023-01-07T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2023-01-07T00:00:00.000Z", "lang": "en", "value": "CVE reserved"}, {"time": "2023-01-07T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2023-01-29T19:47:57.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "VulDB GitHub Commit Analyzer", "type": "tool"}], "references": [{"url": "https://vuldb.com/?id.217610", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.217610", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/roxlukas/lmeve/commit/c25ff7fe83a2cda1fcb365b182365adc3ffae332", "tags": ["patch"]}, {"url": "https://github.com/roxlukas/lmeve/releases/tag/0.1.59-beta", "tags": ["patch"]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:33:47.765Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.217610", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.217610", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://github.com/roxlukas/lmeve/commit/c25ff7fe83a2cda1fcb365b182365adc3ffae332", "tags": ["patch", "x_transferred"]}, {"url": "https://github.com/roxlukas/lmeve/releases/tag/0.1.59-beta", "tags": ["patch", "x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lmeve_project:lmeve:*:*:*:*:*:*:*:*", "matchCriteriaId": "46999301-778F-4D41-BC0F-2E9485F37231", "versionEndIncluding": "0.1.58", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in roxlukas LMeve up to 0.1.58. It has been rated as critical. Affected by this issue is the function insert_log of the file wwwroot/ccpwgl/proxy.php. The manipulation of the argument fetch leads to sql injection. Upgrading to version 0.1.59-beta is able to address this issue. The patch is identified as c25ff7fe83a2cda1fcb365b182365adc3ffae332. It is recommended to upgrade the affected component. VDB-217610 is the identifier assigned to this vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en roxlukas LMeve hasta 0.1.58. Ha sido declarada como cr\u00edtica. La funci\u00f3n insert_log del archivo wwwroot/ccpwgl/proxy.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento buscar conduce a la inyecci\u00f3n SQL. La actualizaci\u00f3n a la versi\u00f3n 0.1.59-beta puede solucionar este problema. El parche se identifica como c25ff7fe83a2cda1fcb365b182365adc3ffae332. Se recomienda actualizar el componente afectado. VDB-217610 es el identificador asignado a esta vulnerabilidad."}], "id": "CVE-2018-25071", "lastModified": "2024-05-17T01:27:28.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.2, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2023-01-07T12:15:08.900", "references": [{"source": "cna@vuldb.com", "tags": ["Patch"], "url": "https://github.com/roxlukas/lmeve/commit/c25ff7fe83a2cda1fcb365b182365adc3ffae332"}, {"source": "cna@vuldb.com", "tags": ["Release Notes"], "url": "https://github.com/roxlukas/lmeve/releases/tag/0.1.59-beta"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?ctiid.217610"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://vuldb.com/?id.217610"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Secondary"}]}