CVE-2008-6741

Simple Machines Forum < 1.1.4 - SQL Injection

Title source: rule
STIX 2.1

Description

SQL injection vulnerability in Load.php in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands by setting the db_character_set parameter to a multibyte character set such as big5, which causes the addslashes PHP function to produce a "\" (backslash) sequence that does not quote the "'" (single quote) character, as demonstrated via a manlabels action to index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED
by The:Paradox · pythonwebappsphp
https://www.exploit-db.com/exploits/5826

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/43118
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/5826
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/29734

Scores

EPSS 0.0032
EPSS Percentile 55.3%

Details

CWE
CWE-89
Status published
Products (10)
simple_machines/simple_machines_forum 1.0.5
simple_machines/simple_machines_forum 1.0.6
simple_machines/simple_machines_forum 1.0.7
simple_machines/simple_machines_forum 1.0.11
simple_machines/simple_machines_forum 1.0.12
simple_machines/simple_machines_forum 1.1 rc1 (3 CPE variants)
simple_machines/simple_machines_forum 1.1.1
simple_machines/simple_machines_forum 1.1.2
simple_machines/simple_machines_forum 1.1.3
simple_machines/simple_machines_forum < 1.1.4
Published Apr 21, 2009
Tracked Since Feb 18, 2026