SQL Injection in Symphony - Vulnerability Database

SQL Injection in Symphony

Description

An SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. This vulnerability can also be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.

Remediation

Upgrade to the latest version of Symphony.

References

Symphony 2.3.2 Fixes

Related Vulnerabilities

Severity

High

Classification

CVE-2013-2559

CWE-89

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N