CVE-2013-0135
published 2013-04-09CVE-2013-0135: Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1)…
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.98%
85.6th percentile
Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php; the (16) site parameter to addressbook/register/linktick.php; the (17) password parameter to addressbook/register/reset_password.php; the (18) password_hint parameter to addressbook/register/reset_password_save.php; the (19) var parameter to addressbook/register/traffic.php; or a (20) BasicLogin cookie to addressbook/register/router.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chatelao | php_address_book | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8ghr-cp29-5hpm: Cross-site request forgery (CSRF) vulnerability in addressbook/register/delete_user
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2013-2778 [HIGH] CWE-352 GHSA-8ghr-cp29-5hpm: Cross-site request forgery (CSRF) vulnerability in addressbook/register/delete_user
Cross-site request forgery (CSRF) vulnerability in addressbook/register/delete_user.php in PHP Address Book 8.2.5 allows remote attackers to hijack the authentication of administrators for requests that delete accounts, a different vulnerability than CVE-2013-0135.1.
GHSA
GHSA-v8p7-q2fq-mr8w: Multiple SQL injection vulnerabilities in PHP Address Book 8
ghsa_unreviewed·2022-05-05
CVE-2013-0135 [HIGH] CWE-89 GHSA-v8p7-q2fq-mr8w: Multiple SQL injection vulnerabilities in PHP Address Book 8
Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php;
No detection rules found.
Exploit-DB
PHP Address Book - '/addressbook/register/checklogin.php?Username' SQL Injection
exploitdb·2013-04-05
CVE-2013-0135 PHP Address Book - '/addressbook/register/checklogin.php?Username' SQL Injection
PHP Address Book - '/addressbook/register/checklogin.php?Username' SQL Injection
---
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/checklogin.php?username={insert}&password=pass
Exploit-DB
PHP Address Book - '/addressbook/register/delete_user.php?id' SQL Injection
exploitdb·2013-04-05
CVE-2013-0135 PHP Address Book - '/addressbook/register/delete_user.php?id' SQL Injection
PHP Address Book - '/addressbook/register/delete_user.php?id' SQL Injection
---
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/delete_user.php?id={insert}
Exploit-DB
PHP Address Book - '/addressbook/register/user_add_save.php?email' SQL Injection
exploitdb·2013-04-05
CVE-2013-0135 PHP Address Book - '/addressbook/register/user_add_save.php?email' SQL Injection
PHP Address Book - '/addressbook/register/user_add_save.php?email' SQL Injection
---
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/user_add_save.php POST var email
Exploit-DB
PHP Address Book - '/addressbook/register/reset_password_save.php' Multiple SQL Injections
exploitdb·2013-04-05
CVE-2013-0135 PHP Address Book - '/addressbook/register/reset_password_save.php' Multiple SQL Injections
PHP Address Book - '/addressbook/register/reset_password_save.php' Multiple SQL Injections
---
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/reset_password_save.php?username={insert}&password=&password_confirm=&password_hint={insert}&email={insert}
Exploit-DB
PHP Address Book - '/addressbook/register/admin_index.php?q' SQL Injection
exploitdb·2013-04-05
CVE-2013-0135 PHP Address Book - '/addressbook/register/admin_index.php?q' SQL Injection
PHP Address Book - '/addressbook/register/admin_index.php?q' SQL Injection
---
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/admin_index.php?q={insert}
Exploit-DB
PHP Address Book - '/addressbook/register/edit_user.php?id' SQL Injection
exploitdb·2013-04-05
CVE-2013-0135 PHP Address Book - '/addressbook/register/edit_user.php?id' SQL Injection
PHP Address Book - '/addressbook/register/edit_user.php?id' SQL Injection
---
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/edit_user.php?id={insert}
Exploit-DB
PHP Address Book - '/addressbook/register/linktick.php?site' SQL Injection
exploitdb·2013-04-05
CVE-2013-0135 PHP Address Book - '/addressbook/register/linktick.php?site' SQL Injection
PHP Address Book - '/addressbook/register/linktick.php?site' SQL Injection
---
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/linktick.php?site={insert}
Exploit-DB
PHP Address Book - '/addressbook/register/traffic.php?var' SQL Injection
exploitdb·2013-04-05
CVE-2013-0135 PHP Address Book - '/addressbook/register/traffic.php?var' SQL Injection
PHP Address Book - '/addressbook/register/traffic.php?var' SQL Injection
---
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/traffic.php?var={insert}
Exploit-DB
PHP Address Book - '/addressbook/register/reset_password.php' Multiple SQL Injections
exploitdb·2013-04-05
CVE-2013-0135 PHP Address Book - '/addressbook/register/reset_password.php' Multiple SQL Injections
PHP Address Book - '/addressbook/register/reset_password.php' Multiple SQL Injections
---
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/reset_password.php?email={insert}&password={insert}
Exploit-DB
PHP Address Book - '/addressbook/register/edit_user_save.php' Multiple SQL Injections
exploitdb·2013-04-05
CVE-2013-0135 PHP Address Book - '/addressbook/register/edit_user_save.php' Multiple SQL Injections
PHP Address Book - '/addressbook/register/edit_user_save.php' Multiple SQL Injections
---
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/edit_user_save.php?id={insert}&lastname={insert}&firstname={insert}&phone={insert}&email={insert}&permissions={insert}¬es={insert}
Exploit-DB
PHP Address Book - '/addressbook/register/router.php?BasicLogin' Cookie SQL Injection
exploitdb·2013-04-05
CVE-2013-0135 PHP Address Book - '/addressbook/register/router.php?BasicLogin' Cookie SQL Injection
PHP Address Book - '/addressbook/register/router.php?BasicLogin' Cookie SQL Injection
---
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/router.php COOKIE var BasicLogin
Bugzilla
CVE-2013-5889 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
bugzilla·2014-01-15·CVSS 9.3
CVE-2013-5889 [CRITICAL] CVE-2013-5889 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
CVE-2013-5889 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
Oracle Java SE 6u71 and 7u51 fixes an unspecified vulnerability in the Deployment component (CVE-2013-5889). Upstream has CVSSv2 scored this issue as: 9.3/AV:N/AC:M/Au:N/C:C/I:C/A:C
External Reference:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0030 https://rhn.redhat.com/errata/RHSA-2014-0030.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0135 https://rhn.redhat.com
Bugzilla
CVE-2013-5898 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
bugzilla·2014-01-15·CVSS 4.0
CVE-2013-5898 [MEDIUM] CVE-2013-5898 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
CVE-2013-5898 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
Oracle Java SE 6u71 and 7u51 fixes an unspecified vulnerability in the Deployment component (CVE-2013-5898). Upstream has CVSSv2 scored this issue as: 4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N
External Reference:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0030 https://rhn.redhat.com/errata/RHSA-2014-0030.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0135 https://rhn.redhat.com
Bugzilla
CVE-2013-5899 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
bugzilla·2014-01-15·CVSS 5.0
CVE-2013-5899 [MEDIUM] CVE-2013-5899 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
CVE-2013-5899 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
Oracle Java SE 6u71 and 7u51 fixes an unspecified vulnerability in the Deployment component (CVE-2013-5899). Upstream has CVSSv2 scored this issue as: 5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
External Reference:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0030 https://rhn.redhat.com/errata/RHSA-2014-0030.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0135 https://rhn.redhat.com
Bugzilla
CVE-2013-5887 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
bugzilla·2014-01-15·CVSS 5.0
CVE-2013-5887 [MEDIUM] CVE-2013-5887 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
CVE-2013-5887 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
Oracle Java SE 6u71 and 7u51 fixes an unspecified vulnerability in the Deployment component (CVE-2013-5887). Upstream has CVSSv2 scored this issue as: 5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
External Reference:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0030 https://rhn.redhat.com/errata/RHSA-2014-0030.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0135 https://rhn.redhat.com
Bugzilla
CVE-2013-5888 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
bugzilla·2014-01-15·CVSS 4.6
CVE-2013-5888 [MEDIUM] CVE-2013-5888 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
CVE-2013-5888 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)
Oracle Java SE 6u71 and 7u51 fixes an unspecified vulnerability in the Deployment component (CVE-2013-5888). Upstream has CVSSv2 scored this issue as: 4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P
External Reference:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0030 https://rhn.redhat.com/errata/RHSA-2014-0030.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2014:0135 https://rhn.redhat.com
http://packetstormsecurity.com/files/129789/PHP-Address-Book-Cross-Site-Scripting-SQL-Injection.htmlhttp://www.acadion.nl/labs/advisory/20130203-phpaddressbook.htmlhttp://www.kb.cert.org/vuls/id/183692https://exchange.xforce.ibmcloud.com/vulnerabilities/99623http://packetstormsecurity.com/files/129789/PHP-Address-Book-Cross-Site-Scripting-SQL-Injection.htmlhttp://www.acadion.nl/labs/advisory/20130203-phpaddressbook.htmlhttp://www.kb.cert.org/vuls/id/183692https://exchange.xforce.ibmcloud.com/vulnerabilities/99623
2013-04-09
Published