CVE-2014-2531
published 2014-10-21CVE-2014-2531: SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows…
PriorityP339medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
1.12%
62.2th percentile
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) Resellers interface, as demonstrated by the "or" key in a pgn8state object in an i object in a JSON object.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| interworx | web_control_panel | <= 5.0.13 | — |
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
ghsa·2022-05-24·CVSS 9.8
CVE-2021-21691 [CRITICAL] CWE-59 Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.
Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
SECURITY-2531 / CVE-2021-21691: Creating symbolic links is possible without the `symlink` permission.
We expect that most of these vulnerabilities have been present since [SECURITY-144 was addressed in the 2014-10-30 security advisory](https://www.jenkins.io/security/advisory/2014-10
GHSA
GHSA-g48x-w6wf-g8mh: SQL injection vulnerability in xhr
ghsa_unreviewed·2022-05-14
CVE-2014-2531 [MEDIUM] CWE-89 GHSA-g48x-w6wf-g8mh: SQL injection vulnerability in xhr
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) Resellers interface, as demonstrated by the "or" key in a pgn8state object in an i object in a JSON object.
No detection rules found.
No writeups or analysis indexed.
http://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel%21http://www.exploit-db.com/exploits/32516http://www.securityfocus.com/archive/1/531601/100/0/threadedhttp://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel%21http://www.exploit-db.com/exploits/32516http://www.securityfocus.com/archive/1/531601/100/0/threaded
2014-10-21
Published