CVE-2013-0209: SQL Injection

First published: Wed Jan 23 2013(Updated: )

lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code.

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/severity
• agent/author
• agent/weakness
• agent/references
• agent/description
• agent/type
• agent/event
• agent/softwarecombine
• agent/last-modified-date
• agent/remedy
• agent/tags
• agent/first-publish-date
• collector/mitre-cve
• source/MITRE
• vendor/sixapart
• canonical/sixapart movable type
• version/sixapart movable type/4.21
• version/sixapart movable type/4.22
• version/sixapart movable type/4.23
• version/sixapart movable type/4.24
• version/sixapart movable type/4.25
• version/sixapart movable type/4.26
• version/sixapart movable type/4.27
• version/sixapart movable type/4.28
• version/sixapart movable type/4.29
• version/sixapart movable type/4.31
• version/sixapart movable type/4.32
• version/sixapart movable type/4.33
• version/sixapart movable type/4.34
• version/sixapart movable type/4.35
• version/sixapart movable type/4.36
• version/sixapart movable type/4.37
• version/sixapart movable type/4.38
• version/sixapart movable type/4.261
• version/sixapart movable type/4.291
• version/sixapart movable type/4.292
• version/sixapart movable type/4.361