You are here

U-174: Serendipity Unspecified SQL Injection Vulnerability

May 22, 2012 - 7:00am

Addthis

PROBLEM:

Serendipity Unspecified SQL Injection Vulnerability

PLATFORM:

1.6.1 and prior versions

ABSTRACT:

A vulnerability was reported in Serendipity. A remote user can inject SQL commands.

Reference Links:

SecurityTracker Alert ID: 1027079
Secunia Advisory SA49234
CVE-2012-2762

IMPACT ASSESSMENT:

Medium

Discussion:

The 'include/functions_trackbacks.inc.php' script does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

Impact:

A remote user can execute SQL commands on the underlying database.

Solution:

The vendor has issued a fix (1.6.2).

Addthis