CVE-2012-5244

Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to functions/print.php; or (7) the name parameter to functions/ajax.php.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://osvdb.org/88535
http://osvdb.org/88538
http://www.exploit-db.com/exploits/23573/	Exploit
http://osvdb.org/88536
http://osvdb.org/88537
https://www.htbridge.com/advisory/HTB23118	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/80746

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:bananadance:banana_dance:*:*:*:*:*:*:*:*

Information

Published : 2014-10-20 07:55

Updated : 2017-08-28 18:32

NVD link : CVE-2012-5244

Mitre link : CVE-2012-5244

JSON object : View

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Advertisement

Products Affected

bananadance

banana_dance

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://osvdb.org/88535", "name": "88535", "tags": [], "refsource": "OSVDB"}, {"url": "http://osvdb.org/88538", "name": "88538", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.exploit-db.com/exploits/23573/", "name": "23573", "tags": ["Exploit"], "refsource": "EXPLOIT-DB"}, {"url": "http://osvdb.org/88536", "name": "88536", "tags": [], "refsource": "OSVDB"}, {"url": "http://osvdb.org/88537", "name": "88537", "tags": [], "refsource": "OSVDB"}, {"url": "https://www.htbridge.com/advisory/HTB23118", "name": "https://www.htbridge.com/advisory/HTB23118", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80746", "name": "banana-dance-ajax-sql-injection(80746)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to functions/print.php; or (7) the name parameter to functions/ajax.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-89"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2012-5244", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2014-10-20T14:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:bananadance:banana_dance:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "b.2.6"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-29T01:32Z"}