Multiple SQL injection vulnerabilities in symphony/content/content.publish.php in Symphony CMS 2.2.3 and possibly other versions before 2.2.4 allow remote authenticated users with Author permissions to execute arbitrary SQL commands via the filter parameter to (1) symphony/publish/comments or (2) symphony/publish/images. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks via error messages. NOTE: some of these details are obtained from third party information.
| Version | Base score | Base severity | Vector |
|---|
| Hyperlink | Resource Type |
|---|
Multiple SQL injection vulnerabilities in symphony/content/content.publish.php in Symphony CMS 2.2.3 and possibly other versions before 2.2.4 allow remote authenticated users with Author permissions to execute arbitrary SQL commands via the filter parameter to (1) symphony/publish/comments or (2) symphony/publish/images. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks via error messages. NOTE: some of these details are obtained from third party information.
| Type | CWE ID | Description |
|---|---|---|
| text | N/A | n/a |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|---|
| http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-symphony-cms/ | x_refsource_MISC |
| http://seclists.org/bugtraq/2011/Nov/8 | mailing-list x_refsource_BUGTRAQ |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/71105 | vdb-entry x_refsource_XF |
| http://secunia.com/advisories/46663 | third-party-advisory x_refsource_SECUNIA |
| https://github.com/symphonycms/symphony-2/commit/476e4926e2773588eab10dd3036f27e1411521b5 | x_refsource_CONFIRM |
| http://www.osvdb.org/76884 | vdb-entry x_refsource_OSVDB |
| http://www.openwall.com/lists/oss-security/2011/11/22/9 | mailing-list x_refsource_MLIST |
| http://symphony-cms.com/download/releases/version/2.2.4/ | x_refsource_CONFIRM |
| http://packetstormsecurity.org/files/view/106493/symphonycms-sqlxss.txt | x_refsource_MISC |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|---|
| http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-symphony-cms/ | x_refsource_MISC x_transferred |
| http://seclists.org/bugtraq/2011/Nov/8 | mailing-list x_refsource_BUGTRAQ x_transferred |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/71105 | vdb-entry x_refsource_XF x_transferred |
| http://secunia.com/advisories/46663 | third-party-advisory x_refsource_SECUNIA x_transferred |
| https://github.com/symphonycms/symphony-2/commit/476e4926e2773588eab10dd3036f27e1411521b5 | x_refsource_CONFIRM x_transferred |
| http://www.osvdb.org/76884 | vdb-entry x_refsource_OSVDB x_transferred |
| http://www.openwall.com/lists/oss-security/2011/11/22/9 | mailing-list x_refsource_MLIST x_transferred |
| http://symphony-cms.com/download/releases/version/2.2.4/ | x_refsource_CONFIRM x_transferred |
| http://packetstormsecurity.org/files/view/106493/symphonycms-sqlxss.txt | x_refsource_MISC x_transferred |
Multiple SQL injection vulnerabilities in symphony/content/content.publish.php in Symphony CMS 2.2.3 and possibly other versions before 2.2.4 allow remote authenticated users with Author permissions to execute arbitrary SQL commands via the filter parameter to (1) symphony/publish/comments or (2) symphony/publish/images. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks via error messages. NOTE: some of these details are obtained from third party information.
| Date Added | Due Date | Vulnerability Name | Required Action |
|---|---|---|---|
| N/A |
| Type | Version | Base score | Base severity | Vector |
|---|---|---|---|---|
| Primary | 2.0 | 4.3 | MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |