PT-2017-14330 · Zeebuddy · Zeebuddy

Ihsan Sencan

Published

2017-10-29

Updated

2017-11-17

CVE-2017-15976

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ZeeBuddy versions 2.x

Description The issue allows SQL Injection via the groupid parameter in the "admin/editadgroup.php" API endpoint.

Recommendations For ZeeBuddy version 2.x, avoid using the groupid parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

CVE-2017-15976

Zeebuddy