zm-gallery Plugin 1.0 on WordPress order sql injection
| CVSS Meta Temp Score | Current Exploit Price (β) |
|---|---|
| 5.9 | $0-$5k |
A vulnerability, which was classified as critical, was found in zm-gallery Plugin 1.0 on WordPress (Photo Gallery Software). Affected is an unknown functionality. The manipulation of the argument order as part of a Parameter leads to a sql injection vulnerability. CWE is classifying the issue as CWE-89. This is going to have an impact on confidentiality, integrity, and availability. An attacker might be able inject and/or alter existing SQL statements which would influence the database exchange.
The bug was discovered 07/07/2017. The weakness was shared 09/13/2019. This vulnerability is traded as CVE-2016-10940 since 09/12/2019. The exploitability is told to be easy. It is possible to launch the attack remotely. A single authentication is needed for exploitation. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 09/14/2019).
The vulnerability was handled as a non-public zero-day exploit for at least 798 days. During that time the estimated underground price was around $0-$5k.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
Type
Name
VulDB Meta Base Score: 5.9
VulDB Meta Temp Score: 5.9
VulDB Base Score: 4.7
VulDB Temp Score: 4.7
VulDB Vector: π
VulDB Reliability: π
NVD Base Score: 7.2
NVD Vector: π
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| π | π | π | π | π | π |
| π | π | π | π | π | π |
| π | π | π | π | π | π |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: π
VulDB Temp Score: π
VulDB Reliability: π
NVD Base Score: π
Class: Sql injection (CWE-89)
Local: No
Remote: Yes
Availability: π
Status: Not defined
Price Prediction: π
Current Price Estimation: π
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Threat: π
Adversaries: π
Geopolitics: π
Economy: π
Predictions: π
Remediation: πRecommended: no mitigation known
0-Day Time: π
07/07/2017 Vulnerability found
09/12/2019 CVE assigned
09/13/2019 Advisory disclosed
09/14/2019 VulDB entry created
09/14/2019 VulDB last update
CVE: CVE-2016-10940 (π)
OSVDB: - Joyent Smart Data Center docker API privilege escalation
Created: 09/14/2019 09:10 AM
Complete: π
Comments
Download the whitepaper to learn more about our service!
https://vuldb.com/?id.141744
Comments are closed.
No comments yet. Please log in to comment.