CVE-2014-5387
04.11.2014, 15:55
Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module to system/index.php.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| ellislab | expressionengine | 2..5.4 |
| ellislab | expressionengine | 2.0.0:public_beta |
| ellislab | expressionengine | 2.0.1:public_beta |
| ellislab | expressionengine | 2.0.2:public_beta |
| ellislab | expressionengine | 2.3.1 |
| ellislab | expressionengine | 2.5.5 |
| ellislab | expressionengine | 2.6.1 |
| ellislab | expressionengine | 2.7.1 |
| ellislab | expressionengine | 2.7.2 |
| ellislab | expressionengine | 2.8.1 |
| expressionengine | expressionengine | 𝑥 ≤ 2.9.0 |
| expressionengine | expressionengine | 2.1.0 |
| expressionengine | expressionengine | 2.1.1 |
| expressionengine | expressionengine | 2.1.2 |
| expressionengine | expressionengine | 2.1.3 |
| expressionengine | expressionengine | 2.1.4 |
| expressionengine | expressionengine | 2.1.5 |
| expressionengine | expressionengine | 2.2.0 |
| expressionengine | expressionengine | 2.2.1 |
| expressionengine | expressionengine | 2.2.2 |
| expressionengine | expressionengine | 2.3.0 |
| expressionengine | expressionengine | 2.4.0 |
| expressionengine | expressionengine | 2.5.0 |
| expressionengine | expressionengine | 2.5.1 |
| expressionengine | expressionengine | 2.5.2 |
| expressionengine | expressionengine | 2.5.3 |
| expressionengine | expressionengine | 2.6.0 |
| expressionengine | expressionengine | 2.7.0 |
| expressionengine | expressionengine | 2.7.3 |
| expressionengine | expressionengine | 2.8.0 |
𝑥
= Vulnerable software versions
References