CVE-2021-28242

SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab.
Configurations

Configuration 1 (hide)

cpe:2.3:a:b2evolution:b2evolution:7.2.2:*:*:*:*:*:*:*

History

21 Nov 2024, 05:59

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/162489/b2evolution-7-2-2-SQL-Injection.html - Exploit, Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/162489/b2evolution-7-2-2-SQL-Injection.html - Exploit, Third Party Advisory, VDB Entry
References () https://deadsh0t.medium.com/authenticated-boolean-based-blind-error-based-sql-injection-b752225f0644 - Exploit, Patch, Third Party Advisory () https://deadsh0t.medium.com/authenticated-boolean-based-blind-error-based-sql-injection-b752225f0644 - Exploit, Patch, Third Party Advisory
References () https://github.com/b2evolution/b2evolution/issues/109 - Issue Tracking, Third Party Advisory () https://github.com/b2evolution/b2evolution/issues/109 - Issue Tracking, Third Party Advisory

03 May 2022, 16:04

Type Values Removed Values Added
CWE CWE-77 CWE-89

04 Jun 2021, 18:50

Type Values Removed Values Added
References (MISC) http://packetstormsecurity.com/files/162489/b2evolution-7-2-2-SQL-Injection.html - (MISC) http://packetstormsecurity.com/files/162489/b2evolution-7-2-2-SQL-Injection.html - Exploit, Third Party Advisory, VDB Entry

Information

Published : 2021-04-15 14:15

Updated : 2024-11-21 05:59


NVD link : CVE-2021-28242

Mitre link : CVE-2021-28242

CVE.ORG link : CVE-2021-28242


JSON object : View

Products Affected

b2evolution

  • b2evolution
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')