PT-2017-10994 · Tracker · Dtracker

Larry W. Cashdollar

Published

2017-09-14

Updated

2019-10-03

CVE-2017-1002005

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions DTracker version 1.5

Description The issue concerns a lack of input sanitization in the DTracker plugin. Specifically, user input via the contact id variable is not properly sanitized before being added to an SQL query in the ./dtracker/delete.php file.

Recommendations For DTracker version 1.5, consider modifying the ./dtracker/delete.php file to sanitize user input for the contact id variable before it is used in SQL queries. As a temporary workaround, restrict access to the delete.php file to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2017-1002005

Affected Products

Dtracker

PT-2017-10994 · Tracker · Dtracker

CVE-2017-1002005

Weakness Enumeration

Related Identifiers

Affected Products

References · 5