CVE-2015-2146 Information

Description

Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to project.php the (2) group_id parameter to group.php the (3) status_id parameter to status.php the (4) resolution_id parameter to resolution.php the (5) severity_id parameter to severity.php the (6) priority_id parameter to priority.php the (7) os_id parameter to os.php or the (8) site_id parameter to site.php.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.openwall.com/lists/oss-security/2015/02/28/1 https://github.com/a-v-k/phpBugTracker/issues/4

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8