EllisLab ExpressionEngine Core Multiple SQL Injection Vulnerabilities (CVE-2014-5387)

EllisLab ExpressionEngine Core Multiple SQL Injection Vulnerabilities (CVE-2014-5387)

Release date:
Updated on:

Affected Systems:
EllisLab ExpressionEngine Core <= 2.9.0
EllisLab ExpressionEngine Core
Description:
Bugtraq id: 70875
CVE (CAN) ID: CVE-2014-5387

EllisLab ExpressionEngine Core is a content management platform.

EllisLab ExpressionEngine Core 2.9.0 and earlier versions have multiple SQL Injection Vulnerabilities. authenticated users can exploit this vulnerability to access sensitive information and perform unauthorized database operations.

<* Source: Jerzy Kramarz
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com/ex/system/index. php? /Cp/addons_modules/show_module_cp & amp; module = comment & amp; S = d80babaf271e481ba9a8fde69dd72b28

Http://www.example.com/ExpressEngine/system/index. php? /Cp/content_publish/entry_form & amp; channel_id = 2 & amp; entry_id = 3 & amp; filter = Signature = & amp; S = 5711f695056db582aa7427787f525d6f

Suggestion:
Vendor patch:

EllisLab
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Https://ellislab.com/expressionengine

Refer:
Http://seclists.org/fulldisclosure/2014/Nov/2

This article permanently updates the link address: