PT-2010-4828 · Symphony · Symphony Cms

Published

2010-09-17

Updated

2020-08-25

CVE-2010-3458

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Symphony CMS versions 2.0.7 through 2.1.1

Description The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the send-email[recipient] parameter to the "about/" endpoint.

Recommendations For Symphony CMS versions 2.0.7 through 2.1.1, consider restricting access to the vulnerable event.section.php file in lib/toolkit/events/ until a patch is available. Avoid using the send-email[recipient] parameter in the affected endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2010-3458

Affected Products

Symphony Cms

PT-2010-4828 · Symphony · Symphony Cms

CVE-2010-3458

Weakness Enumeration

Related Identifiers

Affected Products

References · 7