SQL Injection in Dokeos
Advisory ID: | HTB23181 |
Product: | Dokeos |
Vendor: | Dokeos |
Vulnerable Versions: | 2.2 RC2 and probably prior |
Tested Version: | 2.2 RC2 |
Advisory Publication: | October 30, 2013 [without technical details] |
Vendor Notification: | October 30, 2013 |
Public Disclosure: | November 27, 2013 |
Latest Update: | November 27, 2013 |
Vulnerability Type: | SQL Injection [CWE-89] |
CVE Reference: | CVE-2013-6341 |
Risk Level: | High |
CVSSv2 Base Score: | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
Solution Status: | Solution Available |
Discovered and Provided: | High-Tech Bridge Security Research Lab |
Advisory Details: | |
High-Tech Bridge Security Research Lab discovered vulnerability in Dokeos, which can be exploited to perform SQL Injection attacks. | |
Solution: | |
Vendor did not reply to 6 notifications by email, 1 notification via twitter, 2 forum threads/direct messages. Currently we are not aware of any official solution for this vulnerability. Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.immuniweb.com/advisory/HTB23181-patch.zip | |
References: | |
[1] High-Tech Bridge Advisory HTB23181 - https://www.immuniweb.com/advisory/HTB23181 - SQL Injection in Dokeos. [2] Dokeos - http://www.dokeos.com/ - Dokeos, the flexible, enterprise-ready e-learning software. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing. [6] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST. | |
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.