Vulnerabilites related to roxlukas - LMeve
CVE-2018-25071 (GCVE-0-2018-25071)
Vulnerability from cvelistv5
Published
2023-01-07 11:28
Modified
2024-08-05 12:33
Severity ?
5.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - SQL Injection
Summary
A vulnerability was found in roxlukas LMeve up to 0.1.58. It has been rated as critical. Affected by this issue is the function insert_log of the file wwwroot/ccpwgl/proxy.php. The manipulation of the argument fetch leads to sql injection. Upgrading to version 0.1.59-beta is able to address this issue. The patch is identified as c25ff7fe83a2cda1fcb365b182365adc3ffae332. It is recommended to upgrade the affected component. VDB-217610 is the identifier assigned to this vulnerability.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| roxlukas | LMeve |
Version: 0.1.0 Version: 0.1.1 Version: 0.1.2 Version: 0.1.3 Version: 0.1.4 Version: 0.1.5 Version: 0.1.6 Version: 0.1.7 Version: 0.1.8 Version: 0.1.9 Version: 0.1.10 Version: 0.1.11 Version: 0.1.12 Version: 0.1.13 Version: 0.1.14 Version: 0.1.15 Version: 0.1.16 Version: 0.1.17 Version: 0.1.18 Version: 0.1.19 Version: 0.1.20 Version: 0.1.21 Version: 0.1.22 Version: 0.1.23 Version: 0.1.24 Version: 0.1.25 Version: 0.1.26 Version: 0.1.27 Version: 0.1.28 Version: 0.1.29 Version: 0.1.30 Version: 0.1.31 Version: 0.1.32 Version: 0.1.33 Version: 0.1.34 Version: 0.1.35 Version: 0.1.36 Version: 0.1.37 Version: 0.1.38 Version: 0.1.39 Version: 0.1.40 Version: 0.1.41 Version: 0.1.42 Version: 0.1.43 Version: 0.1.44 Version: 0.1.45 Version: 0.1.46 Version: 0.1.47 Version: 0.1.48 Version: 0.1.49 Version: 0.1.50 Version: 0.1.51 Version: 0.1.52 Version: 0.1.53 Version: 0.1.54 Version: 0.1.55 Version: 0.1.56 Version: 0.1.57 Version: 0.1.58 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:33:47.765Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.217610"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.217610"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/roxlukas/lmeve/commit/c25ff7fe83a2cda1fcb365b182365adc3ffae332"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/roxlukas/lmeve/releases/tag/0.1.59-beta"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "LMeve",
"vendor": "roxlukas",
"versions": [
{
"status": "affected",
"version": "0.1.0"
},
{
"status": "affected",
"version": "0.1.1"
},
{
"status": "affected",
"version": "0.1.2"
},
{
"status": "affected",
"version": "0.1.3"
},
{
"status": "affected",
"version": "0.1.4"
},
{
"status": "affected",
"version": "0.1.5"
},
{
"status": "affected",
"version": "0.1.6"
},
{
"status": "affected",
"version": "0.1.7"
},
{
"status": "affected",
"version": "0.1.8"
},
{
"status": "affected",
"version": "0.1.9"
},
{
"status": "affected",
"version": "0.1.10"
},
{
"status": "affected",
"version": "0.1.11"
},
{
"status": "affected",
"version": "0.1.12"
},
{
"status": "affected",
"version": "0.1.13"
},
{
"status": "affected",
"version": "0.1.14"
},
{
"status": "affected",
"version": "0.1.15"
},
{
"status": "affected",
"version": "0.1.16"
},
{
"status": "affected",
"version": "0.1.17"
},
{
"status": "affected",
"version": "0.1.18"
},
{
"status": "affected",
"version": "0.1.19"
},
{
"status": "affected",
"version": "0.1.20"
},
{
"status": "affected",
"version": "0.1.21"
},
{
"status": "affected",
"version": "0.1.22"
},
{
"status": "affected",
"version": "0.1.23"
},
{
"status": "affected",
"version": "0.1.24"
},
{
"status": "affected",
"version": "0.1.25"
},
{
"status": "affected",
"version": "0.1.26"
},
{
"status": "affected",
"version": "0.1.27"
},
{
"status": "affected",
"version": "0.1.28"
},
{
"status": "affected",
"version": "0.1.29"
},
{
"status": "affected",
"version": "0.1.30"
},
{
"status": "affected",
"version": "0.1.31"
},
{
"status": "affected",
"version": "0.1.32"
},
{
"status": "affected",
"version": "0.1.33"
},
{
"status": "affected",
"version": "0.1.34"
},
{
"status": "affected",
"version": "0.1.35"
},
{
"status": "affected",
"version": "0.1.36"
},
{
"status": "affected",
"version": "0.1.37"
},
{
"status": "affected",
"version": "0.1.38"
},
{
"status": "affected",
"version": "0.1.39"
},
{
"status": "affected",
"version": "0.1.40"
},
{
"status": "affected",
"version": "0.1.41"
},
{
"status": "affected",
"version": "0.1.42"
},
{
"status": "affected",
"version": "0.1.43"
},
{
"status": "affected",
"version": "0.1.44"
},
{
"status": "affected",
"version": "0.1.45"
},
{
"status": "affected",
"version": "0.1.46"
},
{
"status": "affected",
"version": "0.1.47"
},
{
"status": "affected",
"version": "0.1.48"
},
{
"status": "affected",
"version": "0.1.49"
},
{
"status": "affected",
"version": "0.1.50"
},
{
"status": "affected",
"version": "0.1.51"
},
{
"status": "affected",
"version": "0.1.52"
},
{
"status": "affected",
"version": "0.1.53"
},
{
"status": "affected",
"version": "0.1.54"
},
{
"status": "affected",
"version": "0.1.55"
},
{
"status": "affected",
"version": "0.1.56"
},
{
"status": "affected",
"version": "0.1.57"
},
{
"status": "affected",
"version": "0.1.58"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB GitHub Commit Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in roxlukas LMeve up to 0.1.58. It has been rated as critical. Affected by this issue is the function insert_log of the file wwwroot/ccpwgl/proxy.php. The manipulation of the argument fetch leads to sql injection. Upgrading to version 0.1.59-beta is able to address this issue. The patch is identified as c25ff7fe83a2cda1fcb365b182365adc3ffae332. It is recommended to upgrade the affected component. VDB-217610 is the identifier assigned to this vulnerability."
},
{
"lang": "de",
"value": "Eine kritische Schwachstelle wurde in roxlukas LMeve bis 0.1.58 ausgemacht. Davon betroffen ist die Funktion insert_log der Datei wwwroot/ccpwgl/proxy.php. Durch Manipulieren des Arguments fetch mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Ein Aktualisieren auf die Version 0.1.59-beta vermag dieses Problem zu l\u00f6sen. Der Patch wird als c25ff7fe83a2cda1fcb365b182365adc3ffae332 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.2,
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T12:25:05.864Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.217610"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.217610"
},
{
"tags": [
"patch"
],
"url": "https://github.com/roxlukas/lmeve/commit/c25ff7fe83a2cda1fcb365b182365adc3ffae332"
},
{
"tags": [
"patch"
],
"url": "https://github.com/roxlukas/lmeve/releases/tag/0.1.59-beta"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-01-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-01-07T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-01-07T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-01-29T19:47:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "roxlukas LMeve proxy.php insert_log sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2018-25071",
"datePublished": "2023-01-07T11:28:15.497Z",
"dateReserved": "2023-01-07T11:27:50.644Z",
"dateUpdated": "2024-08-05T12:33:47.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4246 (GCVE-0-2021-4246)
Vulnerability from cvelistv5
Published
2022-12-17 00:00
Modified
2025-04-15 13:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-707 - Improper Neutralization -> CWE-74 Injection -> CWE-89 SQL Injection
Summary
A vulnerability was found in roxlukas LMeve and classified as critical. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument X-Forwarded-For leads to sql injection. The attack may be launched remotely. The name of the patch is 29e1ead3bb1c1fad53b77dfc14534496421c5b5d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216176.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:10.332Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roxlukas/lmeve/commit/29e1ead3bb1c1fad53b77dfc14534496421c5b5d"
},
{
"tags": [
"x_transferred"
],
"url": "https://vuldb.com/?id.216176"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:03:06.596994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T13:01:49.361Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LMeve",
"vendor": "roxlukas",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in roxlukas LMeve and classified as critical. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument X-Forwarded-For leads to sql injection. The attack may be launched remotely. The name of the patch is 29e1ead3bb1c1fad53b77dfc14534496421c5b5d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216176."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-707",
"description": "CWE-707 Improper Neutralization -\u003e CWE-74 Injection -\u003e CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-17T00:00:00.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"url": "https://github.com/roxlukas/lmeve/commit/29e1ead3bb1c1fad53b77dfc14534496421c5b5d"
},
{
"url": "https://vuldb.com/?id.216176"
}
],
"title": "roxlukas LMeve Login Page sql injection",
"x_generator": "vuldb.com"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2021-4246",
"datePublished": "2022-12-17T00:00:00.000Z",
"dateReserved": "2022-12-17T00:00:00.000Z",
"dateUpdated": "2025-04-15T13:01:49.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}