CVE-2015-3427SQL Injection in Quassel

CWE-89SQL Injection8 documents5 sources
Severity
7.5HIGHNVD
OSV6.8
EPSS
0.4%
top 36.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Quassel-irc QuasselDebian QuasselDebian Linux
Timeline
PublishedMay 14
Latest updateMay 17

Description

Quassel before 0.12.2 does not properly re-initialize the database session when the PostgreSQL database is restarted, which allows remote attackers to conduct SQL injection attacks via a \ (backslash) in a message. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4422.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

debiandebian/quassel< quassel 1:0.10.0-2.4 (bookworm)
Debianquassel-irc/quassel< 1:0.10.0-2.4+3

Also affects: Debian Linux 8.0

🔴Vulnerability Details

2
GHSA
GHSA-3g99-qh2f-rgmf: Quassel before 02022-05-17
OSV
CVE-2015-3427: Quassel before 02015-05-14

📋Vendor Advisories

1
Debian
CVE-2015-3427: quassel - Quassel before 0.12.2 does not properly re-initialize the database session when ...2015

💬Community

4
Bugzilla
CVE-2015-3427 quassel: SQL injection flaw (incomplete fix for CVE-2013-4422)2015-04-28
Bugzilla
CVE-2015-3427 quassel: SQL injection flaw (incomplete fix for CVE-2013-4422) [epel-6]2015-04-28
Bugzilla
CVE-2015-3427 quassel: SQL injection flaw (incomplete fix for CVE-2013-4422) [epel-7]2015-04-28
Bugzilla
CVE-2015-3427 quassel: SQL injection flaw (incomplete fix for CVE-2013-4422) [fedora-all]2015-04-28
CVE-2015-3427 — SQL Injection in Debian Quassel | cvebase