506640 – (CVE-2013-2945) <www-apps/b2evolution-4.1.7: Cross-site request forgery (CSRF) and SQL injection both in blogs/admin.php (CVE-2013-{2945,7352})

Bug 506640 (CVE-2013-2945) - <www-apps/b2evolution-4.1.7: Cross-site request forgery (CSRF) and SQL injection both in blogs/admin.php (CVE-2013-{2945,7352})

Summary: <www-apps/b2evolution-4.1.7: Cross-site request forgery (CSRF) and SQL inject...

Status:	RESOLVED FIXED

Alias:	CVE-2013-2945

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-04-03 07:35 UTC by Agostino Sarubbo
Modified:	2014-08-25 22:38 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-04-03 07:35:42 UTC

CVE-2013-7352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7352):

Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the show_statuses[] parameter, related to CVE-2013-2945.


@maintainer(s): since the fixed version is already stable, please remove the affected versions from the tree.

Comment 1 Agostino Sarubbo gentoo-dev

2014-04-04 09:48:35 UTC

CVE-2013-2945 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2945):

SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.

Comment 2 Yury German Gentoo Infrastructure

2014-06-17 23:36:44 UTC

Maintainer(s), please drop the vulnerable version.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2014-08-19 23:00:07 UTC

CVE-2013-2945 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2945):
  SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7
  allows remote authenticated administrators to execute arbitrary SQL commands
  via the show_statuses[] parameter.  NOTE: this can be leveraged using CSRF
  to allow remote unauthenticated attackers to execute arbitrary SQL commands.

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2014-08-25 18:04:05 UTC

CVE-2013-7352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7352):
  Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in
  b2evolution before 4.1.7 allows remote attackers to hijack the
  authentication of administrators for requests that conduct SQL injection
  attacks via the show_statuses[] parameter, related to CVE-2013-2945.

Comment 5 Chris Reffett (RETIRED) gentoo-dev

2014-08-25 22:36:24 UTC

Maintainer timeout, cleanup done. GLSA vote: no.

Comment 6 Yury German Gentoo Infrastructure

2014-08-25 22:38:07 UTC

GLSA Vote: No

No GLSA - Closing Bug as Resolved