fkie_cve-2018-12942
Vulnerability from fkie_nvd
Published
2018-07-31 14:29
Modified
2024-11-21 03:46
Severity ?
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SQL injection vulnerability in the "Users management" functionality in SeedDMS (formerly LetoDMS and MyDMS) before 5.1.8 allows authenticated attackers to manipulate an SQL query within the application by sending additional SQL commands to the application server. An attacker can use this vulnerability to perform malicious tasks such as to extract, change, or delete sensitive information within the database supporting the application, and potentially run system commands on the underlying operating system.
References
cve@mitre.orghttps://sourceforge.net/p/seeddms/code/ci/seeddms-5.1.x/tree/CHANGELOGPatch, Release Notes, Third Party Advisory
cve@mitre.orghttps://www.contextis.com/resources/advisories/cve-2018-12942Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://sourceforge.net/p/seeddms/code/ci/seeddms-5.1.x/tree/CHANGELOGPatch, Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.contextis.com/resources/advisories/cve-2018-12942Patch, Third Party Advisory
Impacted products
Vendor Product Version
seeddms seeddms *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:seeddms:seeddms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F533A347-A0CD-4C80-ADD2-A595DB1135A7",
              "versionEndExcluding": "5.1.8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SQL injection vulnerability in the \"Users management\" functionality in SeedDMS (formerly LetoDMS and MyDMS) before 5.1.8 allows authenticated attackers to manipulate an SQL query within the application by sending additional SQL commands to the application server. An attacker can use this vulnerability to perform malicious tasks such as to extract, change, or delete sensitive information within the database supporting the application, and potentially run system commands on the underlying operating system."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de inyecci\u00f3n SQL en la funcionalidad \"Users management\" en SeedDMS (anteriormente conocido como LetoDMS y MyDMS), en versiones anteriores a la 5.1.8, permite que atacantes autenticados manipulen una consulta SQL en la aplicaci\u00f3n mediante el env\u00edo de comandos SQL adicionales al servidor de la aplicaci\u00f3n. Un atacante puede utilizar esta vulnerabilidad para realizar tareas maliciosas como extraer, cambiar o eliminar informaci\u00f3n sensible en la base de datos que soporta la aplicaci\u00f3n o ejecutar comandos del sistema en el sistema operativo subyacente."
    }
  ],
  "id": "CVE-2018-12942",
  "lastModified": "2024-11-21T03:46:09.447",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-07-31T14:29:00.590",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://sourceforge.net/p/seeddms/code/ci/seeddms-5.1.x/tree/CHANGELOG"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.contextis.com/resources/advisories/cve-2018-12942"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://sourceforge.net/p/seeddms/code/ci/seeddms-5.1.x/tree/CHANGELOG"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.contextis.com/resources/advisories/cve-2018-12942"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.