Vulnerability Details CVE-2014-2531
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) Resellers interface, as demonstrated by the "or" key in a pgn8state object in an i object in a JSON object.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 73.2%
CVSS Severity
CVSS v2 Score 6.5
References
- http://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel%21
- http://www.exploit-db.com/exploits/32516
- http://www.securityfocus.com/archive/1/531601/100/0/threaded
- http://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel%21
- http://www.exploit-db.com/exploits/32516
- http://www.securityfocus.com/archive/1/531601/100/0/threaded
Products affected by CVE-2014-2531
-
cpe:2.3:a:interworx:web_control_panel:3.0.2
-
cpe:2.3:a:interworx:web_control_panel:5.0
-
cpe:2.3:a:interworx:web_control_panel:5.0.10
-
cpe:2.3:a:interworx:web_control_panel:5.0.11
-
cpe:2.3:a:interworx:web_control_panel:5.0.12
-
cpe:2.3:a:interworx:web_control_panel:5.0.13