CVE-2014-9254

bb_func_unsub.php in MiniBB 3.1 before 20141127 uses an incorrect regular expression, which allows remote attackers to conduct SQl injection attacks via the code parameter in an unsubscribe action to index.php.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/61794
http://security.szurek.pl/minibb-31-blind-sql-injection.html	Exploit
http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:minibb:minibb:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2014-12-31 21:59

Updated : 2024-02-04 18:35

NVD link : CVE-2014-9254

Mitre link : CVE-2014-9254

CVE.ORG link : CVE-2014-9254

JSON object : View

Products Affected

minibb

minibb

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

7.5 /10