CVE-2014-9528

NONE EPSS 81.5%
Published Jan 6, 201511y ago · Modified Jun 17, 20262w ago
Find Similar
Published Jan 6, 2015 11y ago
Last Modified Jun 17, 2026 2w ago

Description

SQL injection vulnerability in the actionIndex function in protected/modules_core/notification/controllers/ListController.php in HumHub 0.10.0-rc.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the from parameter to index.php. NOTE: this can be leveraged for cross-site scripting (XSS) attacks via a request that causes an error.

Threat Intelligence

EPSS Exploit Probability
81.5% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 1

VendorProductVersionRange
humhubhumhub* ≤0.10.0

References 5

  • packetstormsecurity.com http://packetstormsecurity.com/files/129440/Humhub-0.10.0-rc.1-Cross-Site-Scripting-SQL-Injection.html
    Exploit
  • seclists.org http://seclists.org/fulldisclosure/2014/Dec/31
    Exploit
  • exploit-db.com http://www.exploit-db.com/exploits/35510
    Exploit
  • exchange.xforce.ibmcloud.com https://exchange.xforce.ibmcloud.com/vulnerabilities/99272
  • github.com https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.