CVE-2016-7405
CRITICAL severity · CVSS 9.8 · SQL injection
9.8CVSS CRITICAL
Summary
The qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)3%
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: http://www.openwall.com/lists/oss-security/2016/09/07/8 ↗
Additional information
- NVD record
- http://www.openwall.com/lists/oss-security/2016/09/07/8Patch
- http://www.openwall.com/lists/oss-security/2016/09/15/1Patch
- https://github.com/ADOdb/ADOdb/blob/v5.20.7/docs/changelog.mdPatch
- https://github.com/ADOdb/ADOdb/commit/bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8Patch
- https://github.com/ADOdb/ADOdb/issues/226Patch
- http://www.securityfocus.com/bid/92969Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LT3WU77BRUJREZUYQ3ZQBMUIVIVIND4Y/
- https://security.gentoo.org/glsa/201701-59