Leed is vulnerable to three vulnerabilities: a blind SQL injection vulnerability, a cross-site-request forgery vulnerability, and an authentication bypass.
Leed 1.5 and possibly other versions
No Exploit Available
This vulnerability allows an attacker to bypass certain security restrictions on the system, allowing the attacker to perform certain actions anonymously.
Blind SQL Injection
A remote attacker is able to change the value of the ID parameter of leed/action.php, allowing the attacker to query the database and possibly gain access to sensitive information. This may be leveraged to gain access to other sensitive components of a website or publicly facing infrastructure.
Cross-Site Request Forgery
Exploitation of this vulnerability is possible via forged HTML forms, sent to a victim through a number of different attack vectors (including malicious links). Attackers who successfully exploit this vulnerability may be able to take complete control of the affected device, including the ability to change arbitrary settings, such as the username and password for administering the vulnerable device.
BeyondTrust Prevention and Detection:
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
- 31980 - Leed Multiple Vulnerabilities (20131218) (Zero-Day)
No mitigation is currently available.