Sign-up

ID

VAR-201502-0073


CVE

CVE-2015-1471


TITLE

Pragyan CMS SQL Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2015-01020 // CNNVD: CNNVD-201502-274

DESCRIPTION

SQL injection vulnerability in userprofile.lib.php in Pragyan CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the user parameter to the default URI. Pragyan CMS is a content management system. Pragyan CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Pragyan CMS 3.0 is vulnerable; other versions may also be affected

Trust: 2.43

sources: NVD: CVE-2015-1471 // JVNDB: JVNDB-2015-001494 // CNVD: CNVD-2015-01020 // BID: 72637

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-01020

AFFECTED PRODUCTS

vendor:pragyan cmsmodel:pragyan cmsscope:eqversion:3.0

Trust: 2.4

vendor:pragyanmodel:cms pragyan cmsscope:eqversion:3.0

Trust: 0.6

vendor:deltamodel:force pragyanscope:eqversion:3.0

Trust: 0.3

sources: CNVD: CNVD-2015-01020 // BID: 72637 // JVNDB: JVNDB-2015-001494 // CNNVD: CNNVD-201502-274 // NVD: CVE-2015-1471

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-1471
value: HIGH

Trust: 1.0

NVD: CVE-2015-1471
value: HIGH

Trust: 0.8

CNVD: CNVD-2015-01020
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201502-274
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2015-1471
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-01020
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2015-01020 // JVNDB: JVNDB-2015-001494 // CNNVD: CNNVD-201502-274 // NVD: CVE-2015-1471

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2015-001494 // NVD: CVE-2015-1471

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201502-274

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201502-274

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001494

PATCH
title:Update index.phpurl:https://github.com/delta/pragyan/commit/c93bc100ec93fc78940fbdca9b6b009101858309
Trust: 0.8
title:SQL injection vulnerability in Pragyan CMS v.3 #206url:https://github.com/delta/pragyan/issues/206
Trust: 0.8
title:index.phpurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53837
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-001494 // 
            
            
            
            CNNVD: CNNVD-201502-274

EXTERNAL IDS
db:NVDid:CVE-2015-1471
Trust: 3.3
db:JVNDBid:JVNDB-2015-001494
Trust: 0.8
db:EXPLOITDBid:35991
Trust: 0.6
db:EXPLOIT-DBid:35991
Trust: 0.6
db:CNVDid:CNVD-2015-01020
Trust: 0.6
db:CNNVDid:CNNVD-201502-274
Trust: 0.6
db:BIDid:72637
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2015-01020 // 
            
            
            
            BID: 72637 // 
            
            
            
            JVNDB: JVNDB-2015-001494 // 
            
            
            
            CNNVD: CNNVD-201502-274 // 
            
            
            
            NVD: CVE-2015-1471

REFERENCES
url:http://sroesemann.blogspot.de/2015/02/advisory-for-sroeadv-2015-11.html
Trust: 1.6
url:http://sroesemann.blogspot.de/2015/01/sroeadv-2015-11.html
Trust: 1.6
url:https://github.com/delta/pragyan/issues/206
Trust: 1.6
url:http://seclists.org/fulldisclosure/2015/feb/18
Trust: 1.6
url:http://pastebin.com/ip2ggyus
Trust: 1.6
url:http://seclists.org/oss-sec/2015/q1/402
Trust: 1.6
url:https://github.com/delta/pragyan/commit/c93bc100ec93fc78940fbdca9b6b009101858309
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1471
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1471
Trust: 0.8
url:http://www.exploit-db.com/exploits/35991/
Trust: 0.6
url:https://github.com/delta/pragyan 
Trust: 0.3
url:https://github.com/delta/pragyan/issues/206  
Trust: 0.3
url:http://sroesemann.blogspot.de/2015/01/sroeadv-2015-11.html 
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2015-01020 // 
            
            
            
            BID: 72637 // 
            
            
            
            JVNDB: JVNDB-2015-001494 // 
            
            
            
            CNNVD: CNNVD-201502-274 // 
            
            
            
            NVD: CVE-2015-1471

CREDITS
Steffen Rösemann
Trust: 0.3
sources:
            
            
            BID: 72637

SOURCES
db:CNVDid:CNVD-2015-01020
db:BIDid:72637
db:JVNDBid:JVNDB-2015-001494
db:CNNVDid:CNNVD-201502-274
db:NVDid:CVE-2015-1471

LAST UPDATE DATE
2025-04-13T23:26:47.290000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-01020date:2015-02-11T00:00:00
db:BIDid:72637date:2015-01-19T00:00:00
db:JVNDBid:JVNDB-2015-001494date:2015-02-18T00:00:00
db:CNNVDid:CNNVD-201502-274date:2015-02-13T00:00:00
db:NVDid:CVE-2015-1471date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-01020date:2015-02-11T00:00:00
db:BIDid:72637date:2015-01-19T00:00:00
db:JVNDBid:JVNDB-2015-001494date:2015-02-18T00:00:00
db:CNNVDid:CNNVD-201502-274date:2015-02-13T00:00:00
db:NVDid:CVE-2015-1471date:2015-02-12T16:59:05.050