CVE-2017-15367

CRITICAL

Bacula-web < 8.0.0-rc2 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-15367. PoCs published by Gustavo Sorondo.

AI-analyzed exploit summary The exploit demonstrates SQL injection vulnerabilities in Bacula-Web before 8.0.0-rc2, specifically in the /jobs.php, /backupjob-report.php, and /client-report.php scripts. It provides proof-of-concept GET requests to extract database version information via UNION-based SQLi.

Description

Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vulnerabilities that could allow an attacker to access the Bacula database and, depending on configuration, escalate privileges on the server.

Exploits (1)

exploitdb WORKING POC

by Gustavo Sorondo · textwebappsphp

https://www.exploit-db.com/exploits/44272

View Code ZIP pw:eip

The exploit demonstrates SQL injection vulnerabilities in Bacula-Web before 8.0.0-rc2, specifically in the /jobs.php, /backupjob-report.php, and /client-report.php scripts. It provides proof-of-concept GET requests to extract database version information via UNION-based SQLi.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Bacula-Web < 8.0.0-rc2

No auth needed

Prerequisites: Network access to the vulnerable Bacula-Web instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Release Notes, Vendor Advisory x_refsource_confirm

http://bacula-web.org/download/articles/bacula-web-8-0-0-rc2.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44272/

Issue Tracking, Vendor Advisory x_refsource_confirm

http://bugs.bacula-web.org/view.php?id=211

Patch, Third Party Advisory x_refsource_confirm

https://github.com/bacula-web/bacula-web/commit/90d4c44a0dd0d65c6fb3ab2417b83d700c8413ae

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.2220

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (3)

bacula/bacula-web 8.0.0 rc1

bacula/bacula-web < 7.4.0

bacula-web/bacula-web 0 - 8.0.0-rc2Packagist

Published Mar 07, 2018

Tracked Since Feb 18, 2026