[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] [CVE-2014-3749] Construtiva CIS Manager CMS POST SQLi

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] [CVE-2014-3749] Construtiva CIS Manager CMS POST SQLi
From: "Edge" <edge@xxxxxxxxxxxxx>
Date: Thu, 15 May 2014 17:17:24 -0700

Construtiva CIS Manager CMS POST SQLi

TL;DR;
======

    . PRODUCT : Construtiva CIS Manager
    . TYPE    : SQLi http://site/autenticar/lembrarlogin.asp (POST email)
    . CVE     : CVE-2014-3749


Software Description
====================

    . The CIS Manager platform is a complete and powerful tool to manage
sites and corporative portals on the Internet. The platform components
bring autonomy to your company to manage the content (structure,
texts, images, downloadable files, articles, news...) without the need
of a developer.

     (...)


Release date
============

2014-05-16


Details
=======

    . SQL injection using POST parameters:

         URL: http://site/autenticar/lembrarlogin.asp
         TYPE: error-based
         PARAM: email
         PAYLOAD: email=xxx' AND (...)


Disclosure Timeline
===================

2014-04-16: Vendor notification.
2014-04-26: No response. Vendor notification again.
2014-05-10: No response. Vendor notification again.
2014-05-16: Public disclosure.


Contact
=======

Thiago C.
edge () bitmessage.ch




_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] CVE-2014-3719 SQL Injection Vulnerability
Next by Date: [FD] check_dhcp - Nagios Plugins <= 2.0.1 Arbitrary Option File Read
Previous by thread: [FD] CVE-2014-3719 SQL Injection Vulnerability
Next by thread: [FD] check_dhcp - Nagios Plugins <= 2.0.1 Arbitrary Option File Read
Index(es):
- Date
- Thread