CVE-2007-6375 - OpenCVE

Multiple SQL injection vulnerabilities in Bitweaver 2.0.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) sort_mode parameter to wiki/list_pages.php and the (2) highlight parameter to search/index.php. NOTE: the researcher also reported injection via JavaScript code in the Search box, but this is probably a forced SQL error or other separate primary issue.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Bitweaver	Bitweaver

Configuration 1 [-]

OR	cpe:2.3:a:bitweaver:bitweaver::::::::
	cpe:2.3:a:bitweaver:bitweaver:1.1.1_beta:::::::*
	cpe:2.3:a:bitweaver:bitweaver:1.2.1:::::::*
	cpe:2.3:a:bitweaver:bitweaver:1.3:::::::*
	cpe:2.3:a:bitweaver:bitweaver:1.3.1:::::::*

References

Link	Resource
http://securityreason.com/securityalert/3428
http://www.hackerscenter.com/archive/view.asp?id=28129
http://www.securityfocus.com/archive/1/484805/100/0/threaded
http://www.securityfocus.com/bid/26801	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/38943

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2007-12-15T01:00:00

Updated: 2018-10-15T20:57:01

Reserved: 2007-12-14T00:00:00

Link: CVE-2007-6375

JSON object: View

NVD Information

Status : Modified

Published: 2007-12-15T01:46:00.000

Modified: 2018-10-15T21:52:31.047

Link: CVE-2007-6375

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-12-09T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in Bitweaver 2.0.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) sort_mode parameter to wiki/list_pages.php and the (2) highlight parameter to search/index.php. NOTE: the researcher also reported injection via JavaScript code in the Search box, but this is probably a forced SQL error or other separate primary issue."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-15T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.hackerscenter.com/archive/view.asp?id=28129"}, {"name": "20071209 Bitweaver XSS & SQL Injection Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/484805/100/0/threaded"}, {"name": "3428", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/3428"}, {"name": "bitweaver-listpages-index-sql-injection(38943)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38943"}, {"name": "26801", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/26801"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-6375", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple SQL injection vulnerabilities in Bitweaver 2.0.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) sort_mode parameter to wiki/list_pages.php and the (2) highlight parameter to search/index.php. NOTE: the researcher also reported injection via JavaScript code in the Search box, but this is probably a forced SQL error or other separate primary issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.hackerscenter.com/archive/view.asp?id=28129", "refsource": "MISC", "url": "http://www.hackerscenter.com/archive/view.asp?id=28129"}, {"name": "20071209 Bitweaver XSS & SQL Injection Vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/484805/100/0/threaded"}, {"name": "3428", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/3428"}, {"name": "bitweaver-listpages-index-sql-injection(38943)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38943"}, {"name": "26801", "refsource": "BID", "url": "http://www.securityfocus.com/bid/26801"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-6375", "datePublished": "2007-12-15T01:00:00", "dateReserved": "2007-12-14T00:00:00", "dateUpdated": "2018-10-15T20:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bitweaver:bitweaver:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDB8C4F9-CDBE-4116-95B3-0D4402F708DC", "versionEndIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bitweaver:bitweaver:1.1.1_beta:*:*:*:*:*:*:*", "matchCriteriaId": "431C0A41-841E-48B2-88D3-B94A43F56D51", "vulnerable": true}, {"criteria": "cpe:2.3:a:bitweaver:bitweaver:1.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "FA6E9A08-F938-4E3F-BA68-E307E839335B", "vulnerable": true}, {"criteria": "cpe:2.3:a:bitweaver:bitweaver:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "5657A816-9C53-4D97-90C4-357FCCA7057D", "vulnerable": true}, {"criteria": "cpe:2.3:a:bitweaver:bitweaver:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "D6D44BA4-E55B-4E4A-B7CE-C5C347FB3902", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in Bitweaver 2.0.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) sort_mode parameter to wiki/list_pages.php and the (2) highlight parameter to search/index.php. NOTE: the researcher also reported injection via JavaScript code in the Search box, but this is probably a forced SQL error or other separate primary issue."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en Bitweaver 2.0.0 y versiones anteriores. Permite que atacantes remotos ejecuten comandos SQL de su elecci\u00f3n a trav\u00e9s de (1) el par\u00e1metro sort_mode pasado a wiki/list_pages.php, y el (2) par\u00e1metro highlight pasado a search/index.php. NOTA: el investigador tambi\u00e9n inform\u00f3 sobre injecci\u00f3n a trav\u00e9s de c\u00f3digo JavaScript en el cuadro de b\u00fasqueda, pero esto es, probablemente, un error forzado de SQL u otro asunto primario aparte."}], "id": "CVE-2007-6375", "lastModified": "2018-10-15T21:52:31.047", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-12-15T01:46:00.000", "references": [{"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/3428"}, {"source": "cve@mitre.org", "url": "http://www.hackerscenter.com/archive/view.asp?id=28129"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/484805/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/26801"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38943"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}