CVE-2014-7201

{"id": "CVE-2014-7201", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-10-10T14:55:09.573", "references": [{"url": "http://packetstormsecurity.com/files/128446/Typo3-JobControl-2.14.0-Cross-Site-Scripting-SQL-Injection.html", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2014/Sep/89", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-012", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/70155", "source": "cve@mitre.org"}, {"url": "https://www.mogwaisecurity.de/advisories/MSA-2014-02.txt", "tags": ["Exploit"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in the search function in pi1/class.tx_dmmjobcontrol_pi1.php in the JobControl (dmmjobcontrol) extension 2.14.0 and earlier for TYPO3 allow remote attackers to execute arbitrary SQL commands via the (1) education, (2) region, or (3) sector fields, as demonstrated by the tx_dmmjobcontrol_pi1[search][sector][] parameter to jobs/."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en la funci\u00f3n de b\u00fasqueda en pi1/class.tx_dmmjobcontrol_pi1.php en la extensi\u00f3n JobControl (dmmjobcontrol) 2.14.0 y anteriores para TYPO3 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de los campos (1) education, (2) region, o (3) sector, tal y como fue demostrado por el par\u00e1metro tx_dmmjobcontrol_pi1[search][sector][] en jobs/."}], "lastModified": "2014-10-22T14:26:18.077", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kevin_renskers:dmmjobcontrol:*:*:*:*:*:typo3:*:*", "vulnerable": true, "matchCriteriaId": "83DB6248-22CE-45D5-BA15-9A5915F405AA", "versionEndIncluding": "2.14.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}