CVE-2019-1010034 - Vulnerability Details - OpenCVE

Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function "AllBarCodes" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Deepsoft	Weblibrarian

Configuration 1 [-]

cpe:2.3:a:deepsoft:weblibrarian:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/weblibrarian/trunk/includes/database_code.php
https://wpvulndb.com/vulnerabilities/9553

History

No history.

MITRE

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-15T12:39:12

Updated: 2024-08-05T03:07:17.921Z

Reserved: 2019-03-20T00:00:00

Link: CVE-2019-1010034

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-15T13:15:11.843

Modified: 2024-11-21T04:17:56.210

Link: CVE-2019-1010034

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "WebLibrarian", "vendor": "Deepwoods Software", "versions": [{"status": "affected", "version": "\u2264 3.5.2"}]}], "descriptions": [{"lang": "en", "value": "Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function \"AllBarCodes\" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC."}], "problemTypes": [{"descriptions": [{"description": "SQL Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-21T17:06:09", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://plugins.trac.wordpress.org/browser/weblibrarian/trunk/includes/database_code.php"}, {"tags": ["x_refsource_MISC"], "url": "https://wpvulndb.com/vulnerabilities/9553"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010034", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WebLibrarian", "version": {"version_data": [{"version_value": "\u2264 3.5.2"}]}}]}, "vendor_name": "Deepwoods Software"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function \"AllBarCodes\" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://plugins.trac.wordpress.org/browser/weblibrarian/trunk/includes/database_code.php", "refsource": "MISC", "url": "https://plugins.trac.wordpress.org/browser/weblibrarian/trunk/includes/database_code.php"}, {"name": "https://wpvulndb.com/vulnerabilities/9553", "refsource": "MISC", "url": "https://wpvulndb.com/vulnerabilities/9553"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:17.921Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://plugins.trac.wordpress.org/browser/weblibrarian/trunk/includes/database_code.php"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpvulndb.com/vulnerabilities/9553"}]}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010034", "datePublished": "2019-07-15T12:39:12", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2024-08-05T03:07:17.921Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deepsoft:weblibrarian:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "204E6EE7-B451-44B1-8C42-E3445691079C", "versionEndIncluding": "3.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function \"AllBarCodes\" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC."}, {"lang": "es", "value": "WebLibrarian versiones 3.5.2 y anteriores del Software Deepwoods, est\u00e1 afectado por: Inyecci\u00f3n SQL. El impacto es: Exponer la base de datos completa. El componente es: La funci\u00f3n \"AllBarCodes\" (definida en database_code.php line 1018) es vulnerable a una inyecci\u00f3n SQL a ciegas basada en boolean. Esta llamada a la funci\u00f3n puede ser activada por cualquier usuario que haya iniciado sesi\u00f3n con al menos un rol de Voluntario o capacidades manage_circulation. PoC:/wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC."}], "id": "CVE-2019-1010034", "lastModified": "2024-11-21T04:17:56.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-15T13:15:11.843", "references": [{"source": "josh@bress.net", "tags": ["Exploit", "Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/browser/weblibrarian/trunk/includes/database_code.php"}, {"source": "josh@bress.net", "url": "https://wpvulndb.com/vulnerabilities/9553"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/browser/weblibrarian/trunk/includes/database_code.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://wpvulndb.com/vulnerabilities/9553"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}