WebsiteBaker > Security Announcements

Warning: SQL Injection vulnerability

(1/1)

DarkViper:
!! Warning !! on Wed, 24 Feb 2016 we got this notification:

--- Quote ---Advisory ID: HTB23296
Reference: https://www.htbridge.com/advisory/HTB23296
Product: WebsiteBaker
Vendor: WebsiteBaker Org e.V. ( http://WebsiteBaker.org/ )
Vulnerable Version(s): 2.8.3-SP5 and probably prior
Tested Version: 2.8.3-SP5
Public Disclosure: March 16, 2016
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: Critical
CVSSv3 Base Score: 10 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H]
Discovered and Provided: High-Tech Bridge Security Research Lab
--- End quote ---


That SQL Injection vulnerability is present in all WB Versions less then 2.8.3-SP6.
It allows privilege escalation as well as a complete overtaking of the whole database and the server possibly too.

*** We strongly recommend to upgrade all former installations up to the newest 2.8.3+SP7 as soon as possible. ***

Right now we check out for similar vulnerabilities to fix it before WB 2.8.3+SP7 become stable state.

Take care: All of the previous versions before WB 2.8.3+SP6 are prone to attacks!! It is your own decision only to get a secure system!
You can get the Downloads from our Wiki and the Addon repository too.

Downloads from any other sources are not official WebsiteBaker downloads and should be taken carefull. We can not promise a 'fault free' work for!

have fun with WebsiteBaker,

Manuela

Navigation

[0] Message Index