CVE-2010-2672 — SQL Injection in Publish

CWE-89 — SQL Injection2 documents2 sources

Severity

7.5HIGHNVD

EPSS

0.8%

top 25.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

EZ Publish

Timeline

PublishedJul 8

Latest updateMay 17

Description

Multiple SQL injection vulnerabilities in eZ Publish 3.7.0 through 4.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3) SearchContentClassAttributeID parameter to the advancedsearch feature.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDez/ez_publish14 versions+13

Patches

Patch: ez.no ↗Patch: ez.no ↗Patch: ez.no ↗

🔴Vulnerability Details

GHSA

GHSA-xgj5-fv7f-m344: Multiple SQL injection vulnerabilities in eZ Publish 3↗2022-05-17

▶