CVE-2017-15367

CRITICAL

Bacula-web < 7.4.0 - SQL Injection

Title source: rule

Description

Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vulnerabilities that could allow an attacker to access the Bacula database and, depending on configuration, escalate privileges on the server.

Exploits (1)

exploitdb WORKING POC

by Gustavo Sorondo · textwebappsphp

https://www.exploit-db.com/exploits/44272

View Code ZIP pw:eip

References (4)

[Release Notes, Vendor Advisory] http://bacula-web.org/download/articles/bacula-web-8-0-0-rc2.html

[Issue Tracking, Vendor Advisory] http://bugs.bacula-web.org/view.php?id=211

[Patch, Third Party Advisory] https://github.com/bacula-web/bacula-web/commit/90d4c44a0dd0d65c6fb3ab2417b83d700c8413ae

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/44272/

Scores

CVSS v3 9.8

EPSS 0.2220

EPSS Percentile 95.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (3)

bacula/bacula-web 8.0.0 rc1

bacula/bacula-web < 7.4.0

bacula-web/bacula-web 0 - 8.0.0-rc2Packagist

Published Mar 07, 2018

Tracked Since Feb 18, 2026