CVE-2014-5520

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-5520
SQL injection vulnerability in XRMS CRM, possibly 1.99.2, allows remote attackers to execute arbitrary SQL commands via the user_id parameter to plugins/webform/new-form.php, which is not properly handled by plugins/useradmin/fingeruser.php.

7.5 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://packetstormsecurity.com/files/128030/XRMS-Blind-SQL-Injection-Command-Execution.html Exploit
http://seclists.org/fulldisclosure/2014/Aug/78 Exploit
http://www.exploit-db.com/exploits/34452 Exploit
http://www.openwall.com/lists/oss-security/2014/08/27/4 Exploit
http://www.openwall.com/lists/oss-security/2014/08/29/1
http://www.securityfocus.com/bid/69446 Exploit
http://packetstormsecurity.com/files/128030/XRMS-Blind-SQL-Injection-Command-Execution.html Exploit
http://seclists.org/fulldisclosure/2014/Aug/78 Exploit
http://www.exploit-db.com/exploits/34452 Exploit
http://www.openwall.com/lists/oss-security/2014/08/27/4 Exploit
http://www.openwall.com/lists/oss-security/2014/08/29/1
http://www.securityfocus.com/bid/69446 Exploit
Configurations

Configuration 1 (hide)

cpe:2.3:a:xrms_crm_project:xrms_crm:1.99.2:*:*:*:*:*:*:*
History

21 Nov 2024, 02:12

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/128030/XRMS-Blind-SQL-Injection-Command-Execution.html - Exploit () http://packetstormsecurity.com/files/128030/XRMS-Blind-SQL-Injection-Command-Execution.html - Exploit
References () http://seclists.org/fulldisclosure/2014/Aug/78 - Exploit () http://seclists.org/fulldisclosure/2014/Aug/78 - Exploit
References () http://www.exploit-db.com/exploits/34452 - Exploit () http://www.exploit-db.com/exploits/34452 - Exploit
References () http://www.openwall.com/lists/oss-security/2014/08/27/4 - Exploit () http://www.openwall.com/lists/oss-security/2014/08/27/4 - Exploit
References () http://www.openwall.com/lists/oss-security/2014/08/29/1 - () http://www.openwall.com/lists/oss-security/2014/08/29/1 -
References () http://www.securityfocus.com/bid/69446 - Exploit () http://www.securityfocus.com/bid/69446 - Exploit
Information

Published : 2014-10-26 20:55

Updated : 2025-04-12 10:46

NVD link : CVE-2014-5520

Mitre link : CVE-2014-5520

CVE.ORG link : CVE-2014-5520

JSON object : View

Products Affected

xrms_crm_project

  • xrms_crm
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')