CVE-2014-9528

2015-01-06T15:59:00
ID CVE-2014-9528
Type cve
Reporter cve@mitre.org
Modified 2017-09-08T01:29:00

Description

SQL injection vulnerability in the actionIndex function in protected/modules_core/notification/controllers/ListController.php in HumHub 0.10.0-rc.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the from parameter to index.php. NOTE: this can be leveraged for cross-site scripting (XSS) attacks via a request that causes an error.