CVE-2009-2608

Multiple SQL injection vulnerabilities in PHP Address Book 4.0.x allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to delete.php or (2) alphabet parameter to index.php. NOTE: the edit.php and view.php vectors are already covered by CVE-2008-2565.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/35590	Vendor Advisory
http://www.exploit-db.com/exploits/9023
http://www.securityfocus.com/archive/1/504595/100/0/threaded
http://www.securityfocus.com/bid/35511	Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:chatelao:php_address_book:4.0.1:::::::*
	cpe:2.3:a:chatelao:php_address_book:4.0.2:::::::*

History

No history.

Information

Published : 2009-07-27 18:30

Updated : 2024-02-04 17:33

NVD link : CVE-2009-2608

Mitre link : CVE-2009-2608

CVE.ORG link : CVE-2009-2608

JSON object : View

Products Affected

chatelao

php_address_book

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2009-2608", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-07-27T18:30:00.233", "references": [{"url": "http://secunia.com/advisories/35590", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.exploit-db.com/exploits/9023", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/504595/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/35511", "tags": ["Exploit"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in PHP Address Book 4.0.x allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to delete.php or (2) alphabet parameter to index.php. NOTE: the edit.php and view.php vectors are already covered by CVE-2008-2565."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en PHP Address Book versiones 4.0.x, permiten a los atacantes remotos ejecutar comandos SQL arbitrarios por medio del (1) par\u00e1metro id en el archivo delete.php o (2) par\u00e1metro alphabet en el archivo index.php. NOTA: los vectores edit.php y view.php ya est\u00e1n cubiertos por el CVE-2008-2565."}], "lastModified": "2018-10-10T19:40:51.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chatelao:php_address_book:4.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CB55AC9-5FE9-4D82-96F6-55BA869DED41"}, {"criteria": "cpe:2.3:a:chatelao:php_address_book:4.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42B80912-2590-41E4-9F02-94F830E5829C"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}