CVE-2009-3494
published 2009-09-30CVE-2009-3494: Multiple SQL injection vulnerabilities in index.php in T-HTB Manager 0.5, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL…
PriorityP337medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
0.94%
56.4th percentile
Multiple SQL injection vulnerabilities in index.php in T-HTB Manager 0.5, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in a delete_category action, (2) the name parameter in an update_category action, and other vectors.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| g.rodola | pyftpdlib | >= 0 < 0.5.1 | 0.5.1 |
| g.rodola | pyftpdlib | >= 0 < 0.5.2 | 0.5.2 |
| todor_lazarov | t-htb_manager | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r367-2c67-wh49: Multiple SQL injection vulnerabilities in index
ghsa_unreviewed·2022-05-02
CVE-2009-3494 [MEDIUM] CWE-89 GHSA-r367-2c67-wh49: Multiple SQL injection vulnerabilities in index
Multiple SQL injection vulnerabilities in index.php in T-HTB Manager 0.5, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in a delete_category action, (2) the name parameter in an update_category action, and other vectors.
GHSA
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in pyftpdlib
ghsa·2022-05-02·CVSS 4.3
CVE-2009-5010 [MEDIUM] CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in pyftpdlib
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in pyftpdlib
Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, a different vulnerability than CVE-2010-3494.
GHSA
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in pyftpdlib
ghsa·2022-05-02·CVSS 4.3
CVE-2009-5011 [MEDIUM] CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in pyftpdlib
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in pyftpdlib
Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the getpeername function having an ENOTCONN error, a different vulnerability than CVE-2010-3494.
No detection rules found.
http://www.exploit-db.com/exploits/9637http://www.securityfocus.com/archive/1/506386/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/53145http://www.exploit-db.com/exploits/9637http://www.securityfocus.com/archive/1/506386/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/53145
2009-09-30
Published