Friday, 25 August 2017

On 00:32 by admin in    No comments
A vulnerability, which was classified as critical, has been found in NexusPHP 1.5.beta5.20120707. Affected by this issue is an unknown function of the file staffbox.php. The manipulation of the argument setanswered as part of a Parameter leads to a sql injection vulnerability. Using CWE to declare the problem leads to CWE-89. Impacted is confidentiality, integrity, and availability. An attacker might be able inject and/or alter existing SQL statements which would influence the database exchange.

The weakness was released 08/24/2017. This vulnerability is handled as CVE-2017-13669 since 08/24/2017. The attack may be launched remotely. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

CVSSv3

VulDB Base Score: ≈6.3
VulDB Temp Score: ≈6.3
VulDB Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
VulDB Reliability: Medium

CVSSv2

VulDB Base Score: ≈6.0 (CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P)
VulDB Temp Score: ≈6.0 (CVSS2#E:ND/RL:ND/RC:ND)
VulDB Reliability: Medium

CPE

  • cpe:/a:nexusphp:nexusphp:1.5.beta5.20120707

Exploiting

Class: Sql injection (CWE-89)
Local: No
Remote: Yes

Availability: No

Price Prediction: steady
Current Price Estimation

0-Day$0-$5k$5k-$25k$25k-$100k$100k-$500k
Today$0-$5k$5k-$25k$25k-$100k$100k-$500k


Countermeasures

Recommended: no mitigation known
0-Day Time: 0 days since found

Timeline

08/24/2017   Advisory disclosed
08/24/2017  +0 days CVE assigned
08/25/2017  +1 days VulDB entry created
08/25/2017  +0 days VulDB last update

Sources


CVE: CVE-2017-13669 (mitre.org) (nvd.nist.org) (cvedetails.com)

0 comments:

Post a comment