SQL Injection Vulnerabilities in PHP-Fusion by PHP-Fusion
CVE-2014-8596

Currently unrated

Key Information:

Vendor

PHP-fusion

Status
PHP-fusion
Vendor
CVE Published:
17 November 2014

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2014-8596?

PHP-Fusion versions prior to 7.02.07 contain multiple SQL injection vulnerabilities that enable remote authenticated users to manipulate database queries. Specifically, attackers can exploit the 'submit_id' parameter in the submissions administrative interface or the 'status' parameter in the members administrative interface to execute arbitrary SQL commands. This can lead to unauthorized data access and manipulation, emphasizing the need for updated security measures in web applications.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2014-8596 - Proof of Concept

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/98583
vdb-entryx_refsource_XF
http://packetstormsecurity.com/files/133869/PHP-Fusion-7....
x_refsource_MISC
http://osvdb.org/show/osvdb/112419
vdb-entryx_refsource_OSVDB

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.