Published: 14/04/2017 Updated: 09/10/2018

CVSS v2 Base Score: 6 | Impact Score: 6.4 | Exploitability Score: 6.8

CVSS v3 Base Score: 8 | Impact Score: 5.9 | Exploitability Score: 2.1

VMScore: 605

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

Multiple SQL injection vulnerabilities in the mcart.xls module 6.5.2 and previous versions for Bitrix allow remote authenticated users to execute arbitrary SQL commands via the (1) xls_profile parameter to admin/mcart_xls_import.php or the (2) xls_iblock_id, (3) xls_iblock_section_id, (4) firstRow, (5) titleRow, (6) firstColumn, (7) highestColumn, (8) sku_iblock_id, or (9) xls_iblock_section_id_new parameter to admin/mcart_xls_import_step_2.php.

Vulnerable Product	Search on Vulmon	Subscribe to Product
bitrix project bitrix

Advisory ID: HTB23279 Product: mcartxls Bitrix module Vendor: wwwmcartru Vulnerable Version(s): 652 and probably prior Tested Version: 652 Advisory Publication: November 18, 2015 [without technical details] Vendor Notification: November 18, 2015 Public Disclosure: January 13, 2016 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: ...

Bitrix mcartxls module versions 652 and below suffer from a remote SQL injection vulnerability ...

CWE-89 https://www.htbridge.com/advisory/HTB23279 http://packetstormsecurity.com/files/135258/Bitrix-mcart.xls-6.5.2-SQL-Injection.html http://www.securityfocus.com/bid/97669 https://www.exploit-db.com/exploits/39246/http://www.securityfocus.com/archive/1/537288/100/0/threaded https://nvd.nist.gov https://www.exploit-db.com/exploits/39246/

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2015-8356

Vulnerability Summary

Vulnerability Trend

Exploits

References

Vulmon Search

About

Products

Connect