NVD Vulnerability Detail

CVE-2014-1401

Summary	Multiple SQL injection vulnerabilities in AuraCMS 2.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search parameter to mod/content/content.php or (2) CLIENT_IP, (3) X_FORWARDED_FOR, (4) X_FORWARDED, (5) FORWARDED_FOR, or (6) FORWARDED HTTP header to index.php.
Publication Date	Feb. 12, 2014, 2:55 a.m.
Registration Date	Jan. 26, 2021, 3:06 p.m.
Last Update	Nov. 21, 2024, 11:04 a.m.

Affected software configurations

Related information, measures and tools

No	URL	refsource	タグ
1	http://packetstormsecurity.com/files/125079
2	http://packetstormsecurity.com/files/125079
3	http://secunia.com/advisories/56804
4	http://secunia.com/advisories/56804
5	http://www.exploit-db.com/exploits/31520
6	http://www.exploit-db.com/exploits/31520
7	http://www.securityfocus.com/archive/1/530930/100/0/threaded
8	http://www.securityfocus.com/archive/1/530930/100/0/threaded
9	https://exchange.xforce.ibmcloud.com/vulnerabilities/90965
10	https://exchange.xforce.ibmcloud.com/vulnerabilities/90965
11	https://github.com/auracms/AuraCMS/commit/4fe9d0d31a32df392f4d6ced8e5c25ed4af19ade
12	https://github.com/auracms/AuraCMS/commit/4fe9d0d31a32df392f4d6ced8e5c25ed4af19ade
13	https://github.com/auracms/AuraCMS/commit/790f66ffbc4f23a6e13636fc79d0aa1a7d81e747
14	https://github.com/auracms/AuraCMS/commit/790f66ffbc4f23a6e13636fc79d0aa1a7d81e747
15	https://www.htbridge.com/advisory/HTB23196
16	https://www.htbridge.com/advisory/HTB23196

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-89	SQLインジェクション	https://cwe.mitre.org/data/definitions/89.html

JVN Vulnerability Information

AuraCMS における SQL インジェクションの脆弱性

Title	AuraCMS における SQL インジェクションの脆弱性
Summary	AuraCMS には、SQL インジェクションの脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、index.php の以下の項目を介して、任意の SQL コマンドを実行される可能性があります。 (1) search パラメータ (2) CLIENT_IP HTTP ヘッダ (3) X_FORWARDED_FOR HTTP ヘッダ (4) X_FORWARDED HTTP ヘッダ (5) FORWARDED_FOR HTTP ヘッダ (6) FORWARDED HTTP ヘッダ
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 30, 2014, midnight
Registration Date	Feb. 13, 2014, 5:02 p.m.
Last Update	Feb. 24, 2014, 6:01 p.m.

Affected System

AuraCMS

AuraCMS 2.3 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-1401	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1401
National Vulnerability Database (NVD)
2	CVE-2014-1401	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1401

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-89	https://jvndb.jvn.jp/ja/cwe/CWE-89.html

ベンダー情報

No	Name	URL
AuraCMS
1	Top Page	http://auracms.org/
GitHub
2	AuraCMS	https://github.com/auracms/AuraCMS/commit/790f66ffbc4f23a6e13636fc79d0aa1a7d81e747
3	Update VCounter	https://github.com/auracms/AuraCMS/commit/4fe9d0d31a32df392f4d6ced8e5c25ed4af19ade

その他

No	Name	URL
関連文書
1	Multiple SQL Injection Vulnerabilities in AuraCMS	http://www.securityfocus.com/archive/1/archive/1/530930/100/0/threaded

Change Log

No	Changed Details	Date of change
0	[2014年02月13日] 掲載 [2014年02月24日] ベンダ情報：AuraCMS (AuraCMS) を追加	Feb. 17, 2018, 10:37 a.m.