CVE-2008-2565

Current Description

Multiple SQL injection vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.php and (2) edit.php. NOTE: it was later reported that 4.0.x is also affected.

Referenced by CVEs:CVE-2009-2608, CVE-2012-1911, CVE-2013-1748

Basic Data

PublishedJune 06, 2008
Last ModifiedOctober 11, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-89
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score7.5
SeverityHIGH
Exploitability Score10.0
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegetrue

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationPhp-address BookPhp-address Book1.0*******
    2.3ApplicationPhp-address BookPhp-address Book1.2*******
    2.3ApplicationPhp-address BookPhp-address Book2.0*******
    2.3ApplicationPhp-address BookPhp-address Book2.1*******
    2.3ApplicationPhp-address BookPhp-address Book2.1.1*******
    2.3ApplicationPhp-address BookPhp-address Book2.2*******
    2.3ApplicationPhp-address BookPhp-address Book2.3*******
    2.3ApplicationPhp-address BookPhp-address Book2.4*******
    2.3ApplicationPhp-address BookPhp-address Book2.6*******
    2.3ApplicationPhp-address BookPhp-address Book3.0*******
    2.3ApplicationPhp-address BookPhp-address Book3.1*******
    2.3ApplicationPhp-address BookPhp-address Book3.1.1*******
    2.3ApplicationPhp-address BookPhp-address Book3.1.2*******
    2.3ApplicationPhp-address BookPhp-address Book3.1.3*******
    2.3ApplicationPhp-address BookPhp-address Book3.1.4*******
    2.3ApplicationPhp-address BookPhp-address Book3.1.5*******
    2.3ApplicationPhp-address BookPhp-address Book3.3.16*******
    2.3ApplicationPhp-address BookPhp-address Book3.3.17*******
    2.3ApplicationPhp-address BookPhp-address Book3.3.18*******
    2.3ApplicationPhp-address BookPhp-address Book3.4*******
    2.3ApplicationPhp-address BookPhp-address Book3.4.1*******
    2.3ApplicationPhp-address BookPhp-address Book3.4.2*******
    2.3ApplicationPhp-address BookPhp-address Book3.4.3*******
    2.3ApplicationPhp-address BookPhp-address Book3.4.4*******
    2.3ApplicationPhp-address BookPhp-address Book3.4.5*******
    2.3ApplicationPhp-address BookPhp-address Book3.4.6*******
    2.3ApplicationPhp-address BookPhp-address Book3.4.7*******
    2.3ApplicationPhp-address BookPhp-address Book3.4.8*******
    2.3ApplicationPhp-address BookPhp-address Book********4.0

Vulnerable Software List

VendorProductVersions
Php-address Book Php-address Book *, 1.0, 1.2, 2.0, 2.1, 2.1.1, 2.2, 2.3, 2.4, 2.6, 3.0, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.3.16, 3.3.17, 3.3.18, 3.4, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8

References

NameSourceURLTags
http://packetstormsecurity.com/files/129789/PHP-Address-Book-Cross-Site-Scripting-SQL-Injection.htmlhttp://packetstormsecurity.com/files/129789/PHP-Address-Book-Cross-Site-Scripting-SQL-Injection.htmlMISCExploit
30540http://secunia.com/advisories/30540SECUNIAVendor Advisory
35590http://secunia.com/advisories/35590SECUNIAVendor Advisory
20090626 MULTIPLE SQL INJECTION VULNERABILITIES --PHP-AddressBook v-4.0.x-->http://www.securityfocus.com/archive/1/504595/100/0/threadedBUGTRAQ
35511http://www.securityfocus.com/bid/35511BID
phpaddressbook-view-edit-sql-injection(42855)https://exchange.xforce.ibmcloud.com/vulnerabilities/42855XF
phpaddressbook-viewphp-sql-injection(99622)https://exchange.xforce.ibmcloud.com/vulnerabilities/99622XF
5739https://www.exploit-db.com/exploits/5739EXPLOIT-DB
9023https://www.exploit-db.com/exploits/9023EXPLOIT-DB