CVE-2013-7349
published 2014-04-01CVE-2013-7349: Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) news_id parameter to news/send.php…
PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.66%
83.8th percentile
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) news_id parameter to news/send.php, (2) thread_id parameter to posts/edit.php, or (3) user_email parameter to users/password.php or (4) users/register.php. NOTE: these issues were SPLIT from CVE-2013-5640 due to differences in researchers and disclosure dates.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| raoul_proenca | gnew | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ff38-j34r-r7q3: Multiple SQL injection vulnerabilities in Gnew 2013
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2013-7349 [HIGH] CWE-89 GHSA-ff38-j34r-r7q3: Multiple SQL injection vulnerabilities in Gnew 2013
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) news_id parameter to news/send.php, (2) thread_id parameter to posts/edit.php, or (3) user_email parameter to users/password.php or (4) users/register.php. NOTE: these issues were SPLIT from CVE-2013-5640 due to differences in researchers and disclosure dates.
GHSA
GHSA-x6jx-g3r4-5xmh: Multiple SQL injection vulnerabilities in Gnew 2013
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2013-5640 [HIGH] CWE-89 GHSA-x6jx-g3r4-5xmh: Multiple SQL injection vulnerabilities in Gnew 2013
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) answer_id or (2) question_id parameter to polls/vote.php, (3) story_id parameter to comments/add.php or (4) comments/edit.php, or (5) thread_id parameter to posts/add.php. NOTE: this issue was SPLIT due to differences in researchers and disclosure dates. CVE-2013-7349 already covers the news_id parameter to news/send.php, user_email parameter to users/register.php, and thread_id to posts/edit.php vectors.
No detection rules found.
Exploit-DB
Gnew 2013.1 - Multiple Vulnerabilities (2)
exploitdb·2013-10-02·CVSS 7.5
CVE-2013-7349 [HIGH] Gnew 2013.1 - Multiple Vulnerabilities (2)
Gnew 2013.1 - Multiple Vulnerabilities (2)
---
Advisory ID: HTB23171
Product: Gnew
Vendor: Raoul Proença
Vulnerable Version(s): 2013.1 and probably prior
Tested Version: 2013.1
Advisory Publication: August 28, 2013 [without technical details]
Vendor Notification: August 28, 2013
Public Disclosure: October 2, 2013
Vulnerability Type: PHP File Inclusion [CWE-98], SQL Injection [CWE-89]
CVE References: CVE-2013-5639, CVE-2013-5640
Risk Level: High
CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Solution Available
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Gnew, which can be expl
Exploit-DB
Gnew 2013.1 - Multiple Vulnerabilities (1)
exploitdb·2013-08-12
CVE-2013-7368 Gnew 2013.1 - Multiple Vulnerabilities (1)
Gnew 2013.1 - Multiple Vulnerabilities (1)
---
Gnew v2013.1 Multiple XSS And SQL Injection Vulnerabilities
Vendor: Raoul Proença
Product web page: http://www.gnew.fr
Affected version: 2013.1
Summary: Gnew is a simple Content Management
System written with PHP language and using a
database server (MySQL, PostgreSQL or SQLite)
for storage.
Desc: Input passed via several parameters is not properly
sanitised before being returned to the user or used in SQL
queries. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code and HTML/script code in a
user's browser session in context of an affected site.
| PARAM | TYPE | FILE |
| |
| gnew_template | XSS | /users/profile.php, /articles/index.php, /admin/polls.php |
|--------------------------------------------------
No writeups or analysis indexed.
http://packetstormsecurity.com/files/122771http://packetstormsecurity.com/files/123482http://www.exploit-db.com/exploits/28684http://www.securityfocus.com/bid/62817http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5153.phphttps://www.htbridge.com/advisory/HTB23171https://www.netsparker.com/critical-xss-sql-injection-vulnerabilities-gnew/http://packetstormsecurity.com/files/122771http://packetstormsecurity.com/files/123482http://www.exploit-db.com/exploits/28684http://www.securityfocus.com/bid/62817http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5153.phphttps://www.htbridge.com/advisory/HTB23171https://www.netsparker.com/critical-xss-sql-injection-vulnerabilities-gnew/
2014-04-01
Published