Home > Vulnerability Database > CVE-2015-1397

Mend.io Vulnerability Database

CVE-2015-1397

Date: April 29, 2015

SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the popularity[field_expr] parameter when the popularity[from] or popularity[to] parameter is set.

Language: PHP

Severity Score

6.3

Related Resources (6)

Url: http://magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerability

Url: https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html

Url: http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/

Url: https://nvd.nist.gov/vuln/detail/CVE-2015-1397

Url: http://www.securitytracker.com/id/1032194

Url: https://www.mend.io/vulnerability-database/CVE-2015-1397

Severity Score

6.3

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

CVSS v2

Base Score:	6.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2015-1397

Date: April 29, 2015

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?