CVE-2015-0919
published 2015-01-08CVE-2015-0919: Multiple SQL injection vulnerabilities in the administrative backend in Sefrengo before 1.6.1 allow remote administrators to execute arbitrary SQL commands via…
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.12%
79.6th percentile
Multiple SQL injection vulnerabilities in the administrative backend in Sefrengo before 1.6.1 allow remote administrators to execute arbitrary SQL commands via the (1) idcat or (2) idclient parameter to backend/main.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sefrengo | sefrengo | <= 1.6.0 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ADH-Web Server IP-Cameras - Multiple Vulnerabilities
exploitdb·2015-09-20
ADH-Web Server IP-Cameras - Multiple Vulnerabilities
ADH-Web Server IP-Cameras - Multiple Vulnerabilities
---
1. Adivisory Information
Title: ADH-Web Server IP-Cameras Improper Access Restrictions
EDB-ID: 38245
Advisory ID: OLSA-2015-0919
Advisory URL: http://www.orwelllabs.com/2015/10/adh-web-server-ip-cameras-improper.html
Date published: 2015-09-19
Date of last update: 2016-02-15
Vendors contacted: Dedicated Micros
2. Vulnerability Information
Class: Information Exposure [CWE-200]
Impact: Access Control Bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: N/A
3. Vulnerability Description
Due to improper access restriction the ADH-Web device [1] allows a remote attacker to browse and access arbitrary files from the following directorie '/hdd0/logs'. You can also get numerous information (important for a fingerprint s
Exploit-DB
Sefrengo CMS 1.6.0 - SQL Injection
exploitdb·2015-01-07
CVE-2015-0919 Sefrengo CMS 1.6.0 - SQL Injection
Sefrengo CMS 1.6.0 - SQL Injection
---
Advisory: SQL-Injection in administrative Backend of Sefrengo CMS v.1.6.0
Advisory ID: SROEADV-2015-04
Author: Steffen Rösemann
Affected Software: CMS Sefrengo v.1.6.0 (Release-Date: 18th-Feb-2014)
Vendor URL: http://www.sefrengo.org/start/start.html
Vendor Status: fixed
CVE-ID: -
Vulnerability Description:
The Content Management System Sefrengo v.1.6.0 contains SQL-Injection
vulnerabilities in its administrative Backend.
Technical Details:
The administrative Backend of Sefrengo CMS contains a functionality to edit
folders which reside on the CMS. Its located here:
http://{TARGET}/backend/main.php?area=con_configcat&idcat=1&idtplconf=0
The parameter „idcat“ ist vulnerable against SQL-Injection. An attacker
could abuse this to send crafted URLs
No writeups or analysis indexed.
http://forum.sefrengo.org/index.php?showtopic=3360http://packetstormsecurity.com/files/129824/Sefrengo-CMS-1.6.0-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jan/9http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-04.htmlhttp://forum.sefrengo.org/index.php?showtopic=3360http://packetstormsecurity.com/files/129824/Sefrengo-CMS-1.6.0-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jan/9http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-04.html
2015-01-08
Published