CVE-2014-9435

Absolut Engine 1.73 - SQL Injection

Title source: llm
STIX 2.1

Description

Multiple SQL injection vulnerabilities in Absolut Engine 1.73 allow remote authenticated users to execute arbitrary SQL commands via the (1) sectionID parameter to admin/managersection.php, (2) userID parameter to admin/edituser.php, (3) username parameter to admin/admin.php, or (4) title parameter to admin/managerrelated.php.

Exploits (1)

exploitdb WRITEUP
by Steffen Rösemann · textwebappsphp
https://www.exploit-db.com/exploits/35670

References (3)

Core 3
Core References
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Dec/131
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/71822

Scores

EPSS 0.0169
EPSS Percentile 82.3%

Details

CWE
CWE-89
Status published
Products (1)
absolutengine/absolut_engine 1.73
Published Jan 02, 2015
Tracked Since Feb 18, 2026