CVE-2010-2672

Multiple SQL injection vulnerabilities in eZ Publish 3.7.0 through 4.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3) SearchContentClassAttributeID parameter to the advancedsearch feature.

Published: Jul 9, 2010
Updated: Apr 13, 2023
CVE: CVE-2010-2672
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
ez / ez_publish	3.7.11	3.7.11.x
ez / ez_publish	3.7.4	3.7.4.x
ez / ez_publish	3.7.12	3.7.12.x
ez / ez_publish	3.7.7	3.7.7.x
ez / ez_publish	3.7.9	3.7.9.x
ez / ez_publish	3.7.1	3.7.1.x
ez / ez_publish	4.2.0	4.2.0.x
ez / ez_publish	3.7.10	3.7.10.x
ez / ez_publish	3.7.8	3.7.8.x
ez / ez_publish	3.7.3	3.7.3.x
ez / ez_publish	3.7.6	3.7.6.x
ez / ez_publish	3.7.2	3.7.2.x
ez / ez_publish	3.7.0	3.7.0.x
ez / ez_publish	3.7.5	3.7.5.x

http://ez.no/de/content/download/321165/3192248/version/1/file/16397.diff
http://ez.no/de/content/download/321166/3192253/version/1/file/16398.diff
http://ez.no/de/developer/security/security_advisories/ez_publish_4_2/ezsa_2010_001_remote_vulnerability_in_ez_search
http://osvdb.org/63237
http://osvdb.org/63238
http://secunia.com/advisories/39101
http://www.securityfocus.com/bid/38985
http://www.siberas.de/advisories/advisories_2010.html

Vulnerability Database

291,049

CVE-2010-2672