Description
SQL injection vulnerability in the check_banlist function in includes/sessions.php in Enano CMS 1.1.7pl1; 1.0.6pl2; and possibly other versions before 1.1.8, 1.0.6pl3, and 1.1.7pl2 allows remote attackers to execute arbitrary SQL commands via the email parameter to index.php. NOTE: some of these details are obtained from third party information.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/15645
References (8)
Core 8
Core References
Various Sources x_refsource_confirm
http://enanocms.org/News:Article/2010/11/16/Enano_1.1.8.2c_1.0.6pl3.2c_and_1.1.7pl2_released
Exploit exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/15645
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/42375
Exploit x_refsource_misc
http://packetstormsecurity.org/files/view/96229/enanocms-sqldisclose.txt
Exploit x_refsource_misc
http://www.htbridge.ch/advisory/sql_injection_in_enano_cms.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/69537
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/8183
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/45120
Scores
EPSS
0.0233
EPSS Percentile
84.9%
Details
CWE
CWE-89
Status
published
Products (23)
enanocms/enano_cms
0.8.1
enanocms/enano_cms
0.8.2
enanocms/enano_cms
0.8.3
enanocms/enano_cms
0.8.4
enanocms/enano_cms
0.9.1
enanocms/enano_cms
0.9.2
enanocms/enano_cms
0.9.3
enanocms/enano_cms
1.0
enanocms/enano_cms
1.0.1
enanocms/enano_cms
1.0.2
... and 13 more
Published
Apr 07, 2011
Tracked Since
Feb 18, 2026