CVE-2009-1409

E107 - SQL Injection

Title source: rule

Description

SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the hide parameter, a different vector than CVE-2005-4224 and CVE-2008-5320.

Exploits (1)

exploitdb WORKING POC VERIFIED

by StAkeR · perlwebappsphp

https://www.exploit-db.com/exploits/8495

View Code ZIP pw:eip

References (5)

[Third Party Advisory, VDB Entry] http://osvdb.org/53812

[Vendor Advisory] http://secunia.com/advisories/34823

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/34614

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/49981

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/8495

Scores

EPSS 0.0038

EPSS Percentile 59.7%

Details

CWE

CWE-89

Status published

Products (50)

e107/e107 0.6_10

e107/e107 0.6_11

e107/e107 0.6_12

e107/e107 0.6_13

e107/e107 0.6_14

e107/e107 0.6_15

e107/e107 0.6_15a

e107/e107 0.7

e107/e107 0.7.1

e107/e107 0.7.2

... and 40 more

Published Apr 24, 2009

Tracked Since Feb 18, 2026