CVE-2017-6089

CRITICAL

Phpcollab < 2.5.1 - SQL Injection

Title source: rule

Description

SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) project or id parameters to topics/deletetopics.php; the (2) id parameter to bookmarks/deletebookmarks.php; or the (3) id parameter to calendar/deletecalendar.php.

Exploits (1)

exploitdb WORKING POC

by Sysdream · webappsphp

https://www.exploit-db.com/exploits/42935

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/42935/

[Exploit, Third Party Advisory] https://sysdream.com/news/lab/2017-09-29-cve-2017-6089-phpcollab-2-5-1-multiple-sql-injections-unauthenticated/

Scores

CVSS v3 9.8

EPSS 0.0264

EPSS Percentile 85.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

phpcollab/phpcollab < 2.5.1

Published Oct 03, 2017

Tracked Since Feb 18, 2026