B2ePMS Multiple SQL Injection Vulnerabilities Network Vulnerability

Summary

This host is running b2ePMS and is prone to multiple SQL injection vulnerabilities.

Impact

Successful exploitation will let attackers to cause SQL injection attack and gain sensitive information. Impact Level: Application

Solution

No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

Insight

Multiple flaws are due to input passed via phone_number, msg_caller, phone_msg, msg_options, msg_recipients and signed parameters to 'index.php' is not properly sanitised before being used in SQL queries, which allows attackers to execute arbitrary SQL commands in the context of an affected application or site.

Affected

b2ePMS version 1.0

References

http://packetstormsecurity.org/files/113064/b2epms10-sql.txt
http://www.exploit-db.com/exploits/18935
http://www.securityfocus.com/bid/53690
http://xforce.iss.net/xforce/xfdb/75923

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Arkeia Appliance Multiple Vulnerabilities
AV Arcade 'ava_code' Cookie Parameter SQL Injection Vulnerability
ActualAnalyzer Lite 'ant' Cookie Parameter Remote Command Execution Vulnerability
Allegro RomPager `Misfortune Cookie` Vulnerability
68designs 68kb Multiple Remote File Include Vulnerabilities

b2ePMS Multiple SQL Injection Vulnerabilities

Take action and discover your vulnerabilities