CVE-2013-7262 — SQL Injection in Mapserver

CWE-89 — SQL Injection7 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.2%

top 59.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Osgeo Mapserver Debian Mapserver UMN Mapserver

Timeline

PublishedJan 5

Latest updateMay 13

Description

SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages4 packages

▶debiandebian/mapserver< mapserver 6.4.1-1 (bookworm)

▶Debianosgeo/mapserver< 6.4.1-1+3

▶NVDosgeo/mapserver6.4.0+24

▶NVDumn/mapserver5.2.3, 5.6.7, 6.0.0+2

🔴Vulnerability Details

GHSA

GHSA-vc7r-pq5v-cj3h: SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis↗2022-05-13

▶

OSV

CVE-2013-7262: SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis↗2014-01-05

▶

📋Vendor Advisories

Debian

CVE-2013-7262: mapserver - SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappo...↗2013

▶

💬Community

Bugzilla

CVE-2013-7262 mapserver: SQL injections with postgis TIME filters↗2014-01-06

▶

Bugzilla

CVE-2013-7262 mapserver: SQL injections with postgis TIME filters [fedora-all]↗2014-01-06

▶

Bugzilla

CVE-2013-7262 mapserver: SQL injections with postgis TIME filters [epel-all]↗2014-01-06

▶