CVE-2012-3469

Ushahidi Platform < 2.5 - SQL Injection via Messages Admin or Location API

Title source: llm

Description

Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the messages admin functionality in application/controllers/admin/messages.php, (2) application/libraries/api/MY_Checkin_Api_Object.php, (3) application/controllers/admin/messages/reporters.php, or (4) the location API in application/libraries/api/MY_Locations_Api_Object.php and application/models/location.php.

References (5)

Core 5

Core References

Exploit, Patch x_refsource_confirm

https://github.com/ushahidi/Ushahidi_Web/commit/e0e2b66

Exploit, Patch x_refsource_confirm

https://github.com/ushahidi/Ushahidi_Web/commit/6f6a919

View Exploit ZIP pw:eip

Exploit, Patch x_refsource_confirm

https://github.com/ushahidi/Ushahidi_Web/commit/68d9916

View Exploit ZIP pw:eip

Mailing List mailing-list x_refsource_mlist

http://openwall.com/lists/oss-security/2012/08/09/5

Exploit, Patch x_refsource_confirm

https://github.com/ushahidi/Ushahidi_Web/commit/a11d43c

View Exploit ZIP pw:eip

Scores

EPSS 0.0132

EPSS Percentile 67.2%

Details

CWE

CWE-89

Status published

Products (10)

ushahidi/ushahidi_platform 1.0

ushahidi/ushahidi_platform 1.2

ushahidi/ushahidi_platform 2.0

ushahidi/ushahidi_platform 2.1

ushahidi/ushahidi_platform 2.2

ushahidi/ushahidi_platform 2.2.1

ushahidi/ushahidi_platform 2.3.1

ushahidi/ushahidi_platform 2.3.2

ushahidi/ushahidi_platform 2.4

ushahidi/ushahidi_platform < 2.4.1

Published Aug 12, 2012

Tracked Since Feb 18, 2026