Vulnerability Details : CVE-2011-5135
Potential exploit
Multiple SQL injection vulnerabilities in the save_connection function in lib/lib.iotask.php in the iotask module in DoceboLMS 4.0.4 and earlier allow remote authenticated users with admin or teacher privileges to execute arbitrary SQL commands via the (1) coursereportuiconfig[name] or (2) coursereportuiconfig[description] parameters to index.php.
Vulnerability category: Sql Injection
Products affected by CVE-2011-5135
- cpe:2.3:a:docebo:docebolms:*:*:*:*:*:*:*:*
- cpe:2.3:a:docebo:docebolms:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:docebo:docebolms:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:docebo:docebolms:2.0.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-5135
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 26 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-5135
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
CWE ids for CVE-2011-5135
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-5135
-
https://twitter.com/claudioerba73/status/143383179162685440
Claudio Erba on Twitter: "@net__ninja @docebo Hi, we got it. We already fixed several of reported issues few days ago but we are fixing other of your issues. Thanks!!"
-
http://www.exploit-db.com/exploits/18224
Docebo Lms 4.0.4 - 'Messages' Remote Code Execution - PHP webapps ExploitExploit
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/71720
DoceboLMS index.php SQL injection CVE-2011-5135 Vulnerability Report
Jump to