B2ePMS Multiple SQL Injection Vulnerabilities Network Vulnerability

Summary

This host is running b2ePMS and is prone to multiple SQL injection vulnerabilities.

Impact

Successful exploitation will let attackers to cause SQL injection attack and gain sensitive information. Impact Level: Application

Solution

No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

Insight

Multiple flaws are due to input passed via phone_number, msg_caller, phone_msg, msg_options, msg_recipients and signed parameters to 'index.php' is not properly sanitised before being used in SQL queries, which allows attackers to execute arbitrary SQL commands in the context of an affected application or site.

Affected

b2ePMS version 1.0

References

http://packetstormsecurity.org/files/113064/b2epms10-sql.txt
http://www.exploit-db.com/exploits/18935
http://www.securityfocus.com/bid/53690
http://xforce.iss.net/xforce/xfdb/75923

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apple Safari RSS Feed Information Disclosure Vulnerability
Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability
Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability
Apple Safari PDF Javascript Security Bypass Bypass Vulnerability

b2ePMS Multiple SQL Injection Vulnerabilities

Take action and discover your vulnerabilities