Vulnerability Details : CVE-2014-2211
SQL injection vulnerability in portal/addtoapplication.php in POSH (aka Posh portal or Portaneo) 3.0 before 3.3.0 allows remote attackers to execute arbitrary SQL commands via the rssurl parameter.
Vulnerability category: Sql Injection
Exploit prediction scoring system (EPSS) score for CVE-2014-2211
Probability of exploitation activity in the next 30 days: 0.21%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 59 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-2211
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-2211
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2211
-
http://www.sysdream.com/system/files/POSH-3.2.1-advisory_0.pdf
Sysdream, Erreur interneExploit
-
http://www.securityfocus.com/bid/65817
POSH 'addtoapplication.php' SQL Injection Vulnerability
-
http://seclists.org/oss-sec/2014/q1/444
oss-sec: [CVE assignment notification] Multiple vulnerabilities in POSH
-
http://sourceforge.net/p/posh/svn/3540/
Posh portal (ex Portaneo) / SVN / Commit [r3540]
-
http://www.sysdream.com/CVE-2014-2211_2214
Sysdream, Erreur interneExploit;Patch
Products affected by CVE-2014-2211
- cpe:2.3:a:posh_project:posh:*:*:*:*:*:*:*:*
- cpe:2.3:a:posh_project:posh:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:posh_project:posh:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:posh_project:posh:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:posh_project:posh:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:posh_project:posh:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:posh_project:posh:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:posh_project:posh:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:posh_project:posh:3.0:*:*:*:*:*:*:*