CVE-2014-4736

E2 <2.4 - SQL Injection

Title source: llm

Description

SQL injection vulnerability in E2 before 2.4 (2845) allows remote attackers to execute arbitrary SQL commands via the note-id parameter to @actions/comment-process.

Exploits (1)

exploitdb WORKING POC VERIFIED

by High-Tech Bridge · htmlwebappsphp

https://www.exploit-db.com/exploits/39267

View Code ZIP pw:eip

References (4)

[Exploit] http://packetstormsecurity.com/files/127594/E2-2844-SQL-Injection.html

[Exploit] http://www.securityfocus.com/bid/68843

[Exploit] https://www.htbridge.com/advisory/HTB23222

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/532867/100/0/threaded

Scores

EPSS 0.0169

EPSS Percentile 82.3%

Details

CWE

CWE-89

Status published

Products (1)

blogengine/e2 < 2.4

Published Jul 24, 2014

Tracked Since Feb 18, 2026