PT-2017-11012 · Easy Team · Easy Team Manager

Larry W. Cashdollar

Published

2017-09-14

Updated

2017-09-21

CVE-2017-1002023

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Easy Team Manager version 1.3.2

Description The issue arises from a lack of sanitization of the id before it is used in an SQL statement, specifically in the file ./easy-team-manager/inc/easy team manager desc edit.php. This could potentially lead to SQL injection attacks.

Recommendations For Easy Team Manager version 1.3.2, consider disabling the editing functionality in the easy team manager desc edit.php file until a patch is available that properly sanitizes the id variable. Restrict access to this file to minimize the risk of exploitation. Avoid using the id variable in SQL statements until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2017-1002023

Affected Products

Easy Team Manager

PT-2017-11012 · Easy Team · Easy Team Manager

CVE-2017-1002023

Weakness Enumeration

Related Identifiers

Affected Products

References · 4