cbcvebase.
CVE-2014-3119
published 2020-01-31

CVE-2014-3119: Multiple SQL injection vulnerabilities in web2Project 3.1 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1)…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.73%
74.8th percentile
Multiple SQL injection vulnerabilities in web2Project 3.1 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search_string parameter in the contacts module to index.php or allow remote attackers to execute arbitrary SQL commands via the updatekey parameter to (2) do_updatecontact.php or (3) updatecontact.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
web2projectweb2project<= 3.1

Detection & IOCsextracted from sources · hover to see the quote

path/index.php
path/do_updatecontact.php
path/updatecontact.php
  • Monitor HTTP POST requests to /index.php targeting the contacts module for SQL metacharacters or injection payloads in the `search_string` parameter.
  • Monitor HTTP POST requests to /do_updatecontact.php for SQL injection payloads in the `updatekey` parameter — exploitable by unauthenticated attackers.
  • Monitor HTTP GET requests to /updatecontact.php for SQL injection payloads in the `updatekey` parameter — exploitable by unauthenticated attackers.
  • Alert on MySQL file-write activity (e.g., SELECT ... INTO OUTFILE) originating from web2Project database queries, as exploitation examples demonstrate writing arbitrary files to the filesystem.
  • ·The file-write exploitation vector for /do_updatecontact.php and /updatecontact.php is conditional on MySQL configuration and filesystem permissions; not all deployments will be vulnerable to out-of-band data exfiltration via file write.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.