First published: Mon Jul 15 2019(Updated: )
Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function "AllBarCodes" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC.
Credit: josh@bress.net
Affected Software | Affected Version | How to fix |
---|---|---|
Deepsoft Weblibrarian | <=3.5.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2019-1010034.
The severity of CVE-2019-1010034 is medium.
CVE-2019-1010034 exposes the entire database due to SQL Injection.
The component affected by CVE-2019-1010034 is the function "AllBarCodes" defined at line 1018 of database_code.php.
To fix CVE-2019-1010034 in Deepwoods Software WebLibrarian, update to a version later than 3.5.2 and ensure proper input validation and sanitization to prevent SQL Injection.