CVE-2014-3719

moderate-risk
Published 2020-01-30

Multiple SQL injection vulnerabilities in cgi-bin/review_m.cgi in Ex Libris ALEPH 500 (Integrated library management system) 18.1 and 20 allow remote attackers to execute arbitrary SQL commands via the (1) find, (2) lib, or (3) sid parameter.

Do I need to act?

~
1.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Aleph 500
Aleph 500

Affected Vendors

Exlibrisgroup

References (4)

Exploit http://packetstormsecurity.com/files/126635/Aleph-500-SQL-Injection.html
Mailing List http://seclists.org/fulldisclosure/2014/May/65
Exploit http://packetstormsecurity.com/files/126635/Aleph-500-SQL-Injection.html
Mailing List http://seclists.org/fulldisclosure/2014/May/65
43
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 4/34 · Minimal
Exposure 7/34 · Low