CVE-2019-6986
HIGHVitro < 1.11.0 - Regular Expression Denial of Service via SPARQL Injection in URI Parameter
Title source: llmDescription
SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request.
References (3)
Core 3
Core References
Exploit, Third Party Advisory
https://github.com/kevinbackhouse/SecurityExploits/tree/0ec74459ac53685a7959ed58d580ef8abece3685/vivo-project
Patch, Third Party Advisory
https://github.com/vivo-project/Vitro/pull/111
Exploit, Third Party Advisory
http://packetstormsecurity.com/files/172838/VIVO-SPARQL-Injection.html
Scores
CVSS v3
7.5
EPSS
0.0302
EPSS Percentile
85.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
CWE-77
Status
published
Products (2)
duraspace/vitro
1.10.0
org.vivoweb/vitro-project
0 - 1.11.0Maven
Published
Jan 28, 2019
Tracked Since
Feb 18, 2026