PT-2009-5464 · Portalxp · Portalxp Teacher Edition

Sirgod

Published

2009-09-10

Updated

2017-09-19

CVE-2009-3148

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: PortalXP Teacher Edition version 1.2

Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the id parameter to API endpoints such as "calendar.php", "news.php", and "links.php", and the assignment id parameter to "assignments.php".

Recommendations: For PortalXP Teacher Edition version 1.2, consider restricting access to the "calendar.php", "news.php", "links.php", and "assignments.php" API endpoints until a patch is available. Avoid using the id and assignment id parameters in these endpoints to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2009-3148

Affected Products

Portalxp Teacher Edition

PT-2009-5464 · Portalxp · Portalxp Teacher Edition

CVE-2009-3148

Weakness Enumeration

Related Identifiers

Affected Products

References · 3