CVE-2013-3527 : Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow r

Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow remote attackers to execute arbitrary SQL commands via the parameter name in the Form/Email array to (1) entry/signin or (2) entry/passwordrequest.

Published 2013-05-10 21:55:03

Updated 2020-06-04 13:16:44

Source MITRE

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2013-3527

Vanillaforums » Vanilla
Versions up to, including, (<=) 2.0.18.7
cpe:2.3:a:vanillaforums:vanilla:*:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.13
cpe:2.3:a:vanillaforums:vanilla:2.0.13:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.14
cpe:2.3:a:vanillaforums:vanilla:2.0.14:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.15
cpe:2.3:a:vanillaforums:vanilla:2.0.15:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.9
cpe:2.3:a:vanillaforums:vanilla:2.0.9:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.10
cpe:2.3:a:vanillaforums:vanilla:2.0.10:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.12
cpe:2.3:a:vanillaforums:vanilla:2.0.12:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.11
cpe:2.3:a:vanillaforums:vanilla:2.0.11:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.17.2
cpe:2.3:a:vanillaforums:vanilla:2.0.17.2:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.17.3
cpe:2.3:a:vanillaforums:vanilla:2.0.17.3:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.17.4
cpe:2.3:a:vanillaforums:vanilla:2.0.17.4:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.16
cpe:2.3:a:vanillaforums:vanilla:2.0.16:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.17
cpe:2.3:a:vanillaforums:vanilla:2.0.17:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.17.1
cpe:2.3:a:vanillaforums:vanilla:2.0.17.1:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18 Update RC3
cpe:2.3:a:vanillaforums:vanilla:2.0.18:rc3:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18 Update RC2
cpe:2.3:a:vanillaforums:vanilla:2.0.18:rc2:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18.1
cpe:2.3:a:vanillaforums:vanilla:2.0.18.1:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.17.10
cpe:2.3:a:vanillaforums:vanilla:2.0.17.10:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.7
cpe:2.3:a:vanillaforums:vanilla:2.0.7:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.6
cpe:2.3:a:vanillaforums:vanilla:2.0.6:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.17.5
cpe:2.3:a:vanillaforums:vanilla:2.0.17.5:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18 Update RC1
cpe:2.3:a:vanillaforums:vanilla:2.0.18:rc1:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18 Update Beta4
cpe:2.3:a:vanillaforums:vanilla:2.0.18:beta4:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.17.9
cpe:2.3:a:vanillaforums:vanilla:2.0.17.9:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.17.8
cpe:2.3:a:vanillaforums:vanilla:2.0.17.8:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.5
cpe:2.3:a:vanillaforums:vanilla:2.0.5:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.4
cpe:2.3:a:vanillaforums:vanilla:2.0.4:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18
cpe:2.3:a:vanillaforums:vanilla:2.0.18:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18 Update Alpha3
cpe:2.3:a:vanillaforums:vanilla:2.0.18:alpha3:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18.3
cpe:2.3:a:vanillaforums:vanilla:2.0.18.3:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.16.1
cpe:2.3:a:vanillaforums:vanilla:2.0.16.1:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.8
cpe:2.3:a:vanillaforums:vanilla:2.0.8:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.1
cpe:2.3:a:vanillaforums:vanilla:2.0.1:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18 Update Beta2
cpe:2.3:a:vanillaforums:vanilla:2.0.18:beta2:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18 Update Beta1
cpe:2.3:a:vanillaforums:vanilla:2.0.18:beta1:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.17.7
cpe:2.3:a:vanillaforums:vanilla:2.0.17.7:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.17.6
cpe:2.3:a:vanillaforums:vanilla:2.0.17.6:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.3
cpe:2.3:a:vanillaforums:vanilla:2.0.3:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.2
cpe:2.3:a:vanillaforums:vanilla:2.0.2:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18.6
cpe:2.3:a:vanillaforums:vanilla:2.0.18.6:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18.5
cpe:2.3:a:vanillaforums:vanilla:2.0.18.5:*:*:*:*:*:*:*
Matching versions
Vanillaforums » Vanilla » Version: 2.0.18.4
cpe:2.3:a:vanillaforums:vanilla:2.0.18.4:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-3527

EPSS FAQ

0.39%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 73 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-3527

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2013-3527

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-3527

https://exchange.xforce.ibmcloud.com/vulnerabilities/83289

Vanilla Forums multiple SQL injection CVE-2013-3527 Vulnerability Report
http://seclists.org/fulldisclosure/2013/Apr/57

Full Disclosure: Vanilla Forums 2.0.18 / SQL-Injection / Insert arbitrary user & dump usertable
Exploit
http://mfs-enterprise.com/wordpress/2013/04/05/vanilla-forums-2-0-18-sql-injection-insert-arbitrary-user-dump-usertable/

File Not Found
http://www.securityfocus.com/bid/58922

Vanilla Forums Multiple SQL Injection Vulnerabilities
Exploit
http://www.exploit-db.com/exploits/24927

Vanilla Forums 2-0-18-4 - SQL Injection - PHP webapps Exploit
http://vanillaforums.org/discussion/23339/security-update-vanilla-2-0-18-7

Security Update: Vanilla 2.0.18.8 — Vanilla Forums

CVEs referencing this url
http://packetstormsecurity.com/files/121151/Vanilla-Forums-2.0.18.4-SQL-Injection.html

Vanilla Forums 2.0.18.4 SQL Injection ≈ Packet Storm
Exploit
http://archives.neohapsis.com/archives/bugtraq/2013-04/0068.html

Exploit
https://github.com/vanillaforums/Garden/commit/83078591bc4d263e77d2a2ca283100997755290d

Disable the ability to call functions in escaped sql strings. · vanilla/vanilla@8307859 · GitHub

Jump to

Vulnerability Details : CVE-2013-3527

Products affected by CVE-2013-3527

Exploit prediction scoring system (EPSS) score for CVE-2013-3527

CVSS scores for CVE-2013-3527

CWE ids for CVE-2013-3527

References for CVE-2013-3527