CyberSec.Space Logo
CVEブラウザに戻る

CVE-2019-18662

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0660%
EPSS Percentile30.44th
Published2019年11月2日
Last Modified2024年11月21日

Vulnerability Description

An issue was discovered in YouPHPTube through 7.7. User input passed through the live_stream_code POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized (in getFromChat in plugin/LiveChat/Objects/LiveChatObj.php) before being used to construct a SQL query. This can be exploited by malicious users to, e.g., read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires the Live Chat plugin to be enabled.

Affected Platforms (CPE)

📦
Youphptube

Youphptube

<= 7.7

References & Advisories

🔗 http://packetstormsecurity.com/files/155564/YouPHPTube-7.7-SQL-Injection.html
🔗 http://seclists.org/fulldisclosure/2019/Dec/9
🔗 https://github.com/YouPHPTube/YouPHPTube/issues/2202
🔗 http://packetstormsecurity.com/files/155564/YouPHPTube-7.7-SQL-Injection.html
🔗 http://seclists.org/fulldisclosure/2019/Dec/9
🔗 https://github.com/YouPHPTube/YouPHPTube/issues/2202

関連する脆弱性情報

CVE-2019-515110.0

An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. A specially crafted unauthenticated HTTP request can cause a S...

CVE-2019-51149.9

An exploitable SQL injection vulnerability exists in the authenticated portion of YouPHPTube 7.6. Specially crafted web requests c...

CVE-2019-51279.8

A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. E...

CVE-2019-161249.8

In YouPHPTube 7.4, the file install/checkConfiguration.php has no access control, which leads to everyone being able to edit the c...