漏洞标题
N/A
漏洞描述信息
在Open Business Management(OBM)2.4.0-rc13以及可能更早的版本中,存在多个SQL注入漏洞,允许远程授权的用户通过(1)sel_domain_id或(2)action参数到obm.php;(3)在搜索动作中 tf_user 参数到group/group_index.php;(4)tf_delegation,(5)tf_ip,(6)tf_name到host/host_index.php;或(7)lang,(8)theme,(9)cal_alert,(10)cal_first_hour,(11)cal_interval,(12)cal_last_hour,(13)commentorder,(14)csv_sep,(15)date,(16)date_upd,(17)debug_exe,(18)debug_id,(19)debug_param,(20)debug_sess,(21)debug_solr,(22)debug_sql,(23)dsrc,(24)menu,(25)rows,(26)sel_display_days,(27)timeformat,(28)timezone,或(29)todo参数到设置/设置_index.php。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Multiple SQL injection vulnerabilities in Open Business Management (OBM) 2.4.0-rc13 and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sel_domain_id or (2) action parameter to obm.php; (3) tf_user parameter in a search action to group/group_index.php; (4) tf_delegation, (5) tf_ip, (6) tf_name to host/host_index.php; or (7) lang, (8) theme, (9) cal_alert, (10) cal_first_hour, (11) cal_interval, (12) cal_last_hour, (13) commentorder, (14) csv_sep, (15) date, (16) date_upd, (17) debug_exe, (18) debug_id, (19) debug_param, (20) debug_sess, (21) debug_solr, (22) debug_sql, (23) dsrc, (24) menu, (25) rows, (26) sel_display_days, (27) timeformat, (28) timezone, or (29) todo parameter to settings/settings_index.php.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Open Business Management SQL注入漏洞
漏洞描述信息
Open Business Management (OBM) 2.4.0-rc13和早期版本中存在多个SQL注入漏洞。远程认证用户可利用这些漏洞通过(1)sel_domain_id或(2)action参数传送到obm.php脚本(3)查找操作中的tf_user参数传送到group/group_index.php脚本(4)tf_delegation(5)tf_ip(6)tf_name传送到host/host_index.php脚本或(7)lang(8)theme(9)cal_alert(10)cal_fir
CVSS信息
N/A
漏洞类别
SQL注入