oss-sec mailing list archives
CVE-Request -- Pragyan CMS v.3.0 -- SQL injection vulnerability
From: Steffen Rösemann <steffen.roesemann1986 () gmail com>
Date: Tue, 3 Feb 2015 21:46:01 +0100
Hi Steve, Josh, vendors, list. I found an SQL injection vulnerability in Pragyan CMS v. 3.0. Attackers can exploit that vulnerability by appending arbitrary SQL queries to a registered users profile id without being authenticated. Exploit-Example: http:// {TARGET}/user:1%27+and+1=2+union+select+database%28%29,version%28%29,3+--+ Can you please assign a CVE-ID for that? Thank you! Greetings. Steffen Rösemann References: [1] http://delta.nitt.edu/ / https://github.com/delta/pragyan [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-11.html [3] https://github.com/delta/pragyan/issues/206 [4] https://github.com/sroesemann/pragyan [5] http://pastebin.com/ip2gGYuS [6] http://sroesemann.blogspot.de/2015/02/advisory-for-sroeadv-2015-11.html [7] http://seclists.org/fulldisclosure/2015/Feb/18
Current thread:
- CVE-Request -- Pragyan CMS v.3.0 -- SQL injection vulnerability Steffen Rösemann (Feb 03)
- Re: CVE-Request -- Pragyan CMS v.3.0 -- SQL injection vulnerability cve-assign (Feb 03)