Description
Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\Member.php.
Affected Software
Related
{"id": "OSV:GHSA-V43V-PV95-JC55", "vendorId": null, "type": "osv", "bulletinFamily": "software", "title": "SQL Injection in Funadmin", "description": "Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \\member\\Member.php.", "published": "2023-03-07T18:30:38", "modified": "2023-03-22T05:29:06", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://osv.dev/vulnerability/GHSA-v43v-pv95-jc55", "reporter": "Google", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-24775", "https://github.com/funadmin/funadmin/issues/9"], "cvelist": ["CVE-2023-24775"], "immutableFields": [], "lastseen": "2023-03-22T05:29:36", "viewCount": 1, "enchantments": {"score": {"value": 3.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2023-24775"]}, {"type": "github", "idList": ["GHSA-V43V-PV95-JC55"]}]}, "epss": [{"cve": "CVE-2023-24775", "epss": 0.00076, "percentile": 0.31067, "modified": "2023-03-21"}], "vulnersScore": 3.7}, "_state": {"score": 0, "dependencies": 1679463154, "epss": 1679462975}, "_internal": {"score_hash": "b82db86e8f0e31dc060a6b1fcd4d7f5b"}, "affectedSoftware": [{"version": "1.02", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "1.1", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "1.5.0", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.1.0", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.2", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.2.10", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.2.11", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.2.12", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.2.13", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.2.14", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.2.6", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.2.9", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.3", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.3.1", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.4.0", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.4.1", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.4.2", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.5.0", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.5.1", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.5.2", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.6.0", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.6.1", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.6.2", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.6.3", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.6.4", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "2.6.5", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "3.0", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "3.0.1", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "3.1.0", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "3.1.1", "operator": "eq", "name": "funadmin/funadmin"}, {"version": "3.2.0", "operator": "eq", "name": "funadmin/funadmin"}]}
{"github": [{"lastseen": "2023-03-14T23:08:48", "description": "Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \\member\\Member.php.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-07T18:30:38", "type": "github", "title": "SQL Injection in Funadmin", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2023-24775"], "modified": "2023-03-14T23:02:20", "id": "GHSA-V43V-PV95-JC55", "href": "https://github.com/advisories/GHSA-v43v-pv95-jc55", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-03-14T20:14:55", "description": "Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \\member\\Member.php.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-07T18:15:00", "type": "cve", "title": "CVE-2023-24775", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2023-24775"], "modified": "2023-03-14T18:25:00", "cpe": ["cpe:/a:funadmin:funadmin:3.2.0"], "id": "CVE-2023-24775", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24775", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:funadmin:funadmin:3.2.0:*:*:*:*:*:*:*"]}]}
SQL Injection in Funadmin
