CVE-2014-9528
NONE EPSS 81.5%
Published Jan 6, 201511y ago · Modified Jun 17, 20262w ago
Published Jan 6, 2015 11y ago
Last Modified Jun 17, 2026 2w ago
Description
SQL injection vulnerability in the actionIndex function in protected/modules_core/notification/controllers/ListController.php in HumHub 0.10.0-rc.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the from parameter to index.php. NOTE: this can be leveraged for cross-site scripting (XSS) attacks via a request that causes an error.
Threat Intelligence
EPSS Exploit Probability
81.5% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-89 SQL Injection Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| humhub | humhub | * | ≤0.10.0 |
References 5
- packetstormsecurity.com http://packetstormsecurity.com/files/129440/Humhub-0.10.0-rc.1-Cross-Site-Scripting-SQL-Injection.html
- seclists.org http://seclists.org/fulldisclosure/2014/Dec/31
- exploit-db.com http://www.exploit-db.com/exploits/35510
- exchange.xforce.ibmcloud.com https://exchange.xforce.ibmcloud.com/vulnerabilities/99272
- github.com https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.