CVE-2013-5957

Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in CiviCRM before 4.2.12, 4.3.x before 4.3.7, and 4.4.x before 4.4.beta4 allow remote attackers to execute arbitrary SQL commands via the _value parameter to (1) ajax/jqState or (2) ajax/jqcounty.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://civicrm.org/advisory/civi-sa-2013-009-sql-injection-vulnerability	Patch Vendor Advisory
https://github.com/civicrm/civicrm-core/pull/1708.diff	Patch
https://www.navixia.com/blog/entry/navixia-finds-critical-vulnerability-in-civicrm-cve-2013-5957.html	Exploit
https://www.navixia.com/company/navixia-news/395-navixia-finds-critical-vulnerability-in-civicrm.html
https://civicrm.org/advisory/civi-sa-2013-009-sql-injection-vulnerability	Patch Vendor Advisory
https://github.com/civicrm/civicrm-core/pull/1708.diff	Patch
https://www.navixia.com/blog/entry/navixia-finds-critical-vulnerability-in-civicrm-cve-2013-5957.html	Exploit
https://www.navixia.com/company/navixia-news/395-navixia-finds-critical-vulnerability-in-civicrm.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:civicrm:civicrm:4.4:alpha3::::::
	cpe:2.3:a:civicrm:civicrm:4.4:beta1::::::
	cpe:2.3:a:civicrm:civicrm:4.4:beta2::::::
	cpe:2.3:a:civicrm:civicrm:4.4:beta3::::::
	cpe:2.3:a:civicrm:civicrm:4.4.0:alpha1::::::
	cpe:2.3:a:civicrm:civicrm:4.4.0:alpha2::::::

Configuration 2 (hide)

OR	cpe:2.3:a:civicrm:civicrm::::::::
	cpe:2.3:a:civicrm:civicrm:4.2.0:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.1:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.2:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.4:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.5:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.6:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.7:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.8:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.9:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.10:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:civicrm:civicrm:4.3.0:::::::*
	cpe:2.3:a:civicrm:civicrm:4.3.1:::::::*
	cpe:2.3:a:civicrm:civicrm:4.3.2:::::::*
	cpe:2.3:a:civicrm:civicrm:4.3.3:::::::*
	cpe:2.3:a:civicrm:civicrm:4.3.4:::::::*
	cpe:2.3:a:civicrm:civicrm:4.3.5:::::::*
	cpe:2.3:a:civicrm:civicrm:4.3.6:::::::*

History

21 Nov 2024, 01:58

Type	Values Removed	Values Added
References	~~() https://civicrm.org/advisory/civi-sa-2013-009-sql-injection-vulnerability - Patch, Vendor Advisory~~	() https://civicrm.org/advisory/civi-sa-2013-009-sql-injection-vulnerability - Patch, Vendor Advisory
References	~~() https://github.com/civicrm/civicrm-core/pull/1708.diff - Patch~~	() https://github.com/civicrm/civicrm-core/pull/1708.diff - Patch
References	~~() https://www.navixia.com/blog/entry/navixia-finds-critical-vulnerability-in-civicrm-cve-2013-5957.html - Exploit~~	() https://www.navixia.com/blog/entry/navixia-finds-critical-vulnerability-in-civicrm-cve-2013-5957.html - Exploit
References	~~() https://www.navixia.com/company/navixia-news/395-navixia-finds-critical-vulnerability-in-civicrm.html -~~	() https://www.navixia.com/company/navixia-news/395-navixia-finds-critical-vulnerability-in-civicrm.html -

Information

Published : 2013-11-27 18:55

Updated : 2024-11-21 01:58

NVD link : CVE-2013-5957

Mitre link : CVE-2013-5957

CVE.ORG link : CVE-2013-5957

JSON object : View

Products Affected

civicrm

civicrm

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

7.5 /10