Description

SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab.

Remediation

References

CVE-2021-28242

Related Vulnerabilities

DWR Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-5325)

WordPress Plugin WP Maps-Display Google Maps Perfectly with Ease SQL Injection (4.1.3)

PHP Other Vulnerability (CVE-2014-8142)

WordPress Plugin Duplicator-WordPress Migration Arbitrary File Download (1.3.26)

Rukovoditel Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-45020)

Severity

High

Classification

CVE-2021-28242 CWE-138 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities