PT-2017-7893 · Joomla · Virtuemart

Code16

Published

2017-05-29

Updated

2017-06-08

CVE-2016-10379

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions VirtueMart com virtuemart component version 3.0.14 for Joomla!

Description The issue allows SQL injection by remote authenticated administrators. This can be achieved via the virtuemart paymentmethod id or virtuemart shipmentmethod id parameter to the "administrator/index.php" endpoint.

Recommendations For VirtueMart com virtuemart component version 3.0.14, consider restricting access to the virtuemart paymentmethod id and virtuemart shipmentmethod id parameters in the administrator/index.php endpoint until a patch is available.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2016-10379

Affected Products

Virtuemart

PT-2017-7893 · Joomla · Virtuemart

CVE-2016-10379

Weakness Enumeration

Related Identifiers

Affected Products

References · 4