SQL Injection Vulnerability in b2evolution by B2evolution
CVE-2021-28242

8.8HIGH

Key Information:

Vendor

B2evolution

Status
B2evolution
Vendor
CVE Published:
15 April 2021

What is CVE-2021-28242?

The SQL injection vulnerability in the 'evoadm.php' component of b2evolution v7.2.2-stable poses a significant risk as it allows remote attackers to execute malicious SQL commands through the 'cf_name' parameter during the creation of a new filter within the Collections tab. This flaw can enable unauthorized access to sensitive database information, making it critical for users of this version to apply necessary security patches and validate inputs to prevent exploitation.

References

https://github.com/b2evolution/b2evolution/issues/109
x_refsource_MISC
https://deadsh0t.medium.com/authenticated-boolean-based-b...
x_refsource_MISC
http://packetstormsecurity.com/files/162489/b2evolution-7...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.