Description
SQL injection vulnerability in profile.php in FluxBB before 1.4.13 and 1.5.x before 1.5.7 allows remote attackers to execute arbitrary SQL commands via the req_new_email parameter.
Exploits (1)
exploitdb
WORKING POC
by secthrowaway · pythonwebappsmultiple
https://www.exploit-db.com/exploits/45595
References (6)
Core 6
Core References
Vendor Advisory x_refsource_confirm
http://fluxbb.org/forums/viewtopic.php?id=8001
Exploit x_refsource_misc
http://packetstormsecurity.com/files/129225/FluxBB-1.5.6-SQL-Injection.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/59038
Exploit mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Nov/73
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/98890
Vendor Advisory x_refsource_confirm
https://fluxbb.org/development/core/tickets/990/
Scores
EPSS
0.0428
EPSS Percentile
88.9%
Details
CWE
CWE-89
Status
published
Products (8)
fluxbb/fluxbb
1.5.0
fluxbb/fluxbb
1.5.1
fluxbb/fluxbb
1.5.2
fluxbb/fluxbb
1.5.3
fluxbb/fluxbb
1.5.4
fluxbb/fluxbb
1.5.5
fluxbb/fluxbb
1.5.6
fluxbb/fluxbb
< 1.4.11
Published
Jan 13, 2015
Tracked Since
Feb 18, 2026