PT-2023-9990 · Arc2 · Arc2

Beinux3

Published

2023-04-25

Updated

2025-02-03

CVE-2012-5872

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ARC (aka ARC2) through 2011-12-01

Description The issue allows blind SQL Injection in the getTriplePatternSQL function within ARC2 StoreSelectQueryHandler.php via comments in a SPARQL WHERE clause.

Recommendations For ARC (aka ARC2) through 2011-12-01, consider disabling the getTriplePatternSQL function in ARC2 StoreSelectQueryHandler.php to prevent exploitation until a fix is available. Restrict access to comments in SPARQL WHERE clauses to minimize the risk of blind SQL Injection.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2012-5872

Affected Products

Arc2

PT-2023-9990 · Arc2 · Arc2

CVE-2012-5872

Weakness Enumeration

Related Identifiers

Affected Products

References · 5