PT-2012-5057 · Rtg+1 · Rtg+1

Rémi Gacogne

Published

2012-07-12

Updated

2012-07-16

CVE-2012-3881

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions RTG version 0.7.4 RTG2 version 0.9.2

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved by exploiting SQL injection vulnerabilities via unspecified parameters to API endpoints such as "95.php", "view.php", or "rtg.php".

Recommendations For RTG version 0.7.4, avoid using the parameters in the affected API endpoints until the issue is resolved. For RTG2 version 0.9.2, restrict access to the vulnerable API endpoints "95.php", "view.php", and "rtg.php" to minimize the risk of exploitation.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2012-3881

Affected Products

Rtg

Rtg2

PT-2012-5057 · Rtg+1 · Rtg+1

CVE-2012-3881

Weakness Enumeration

Related Identifiers

Affected Products

References · 3