BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Leed Multiple Vulnerabilities

Disclosed December 18, 2013    Zeroday : 254 days

Vulnerability Description:

Leed is vulnerable to three vulnerabilities: a blind SQL injection vulnerability, a cross-site-request forgery vulnerability, and an authentication bypass.

Vendors:

Valentin CARRUESCO

Vulnerable Software/Devices:

Leed 1.5 and possibly other versions

Vulnerability Severity:

Medium

Exploit Availability:

No Exploit Available

Exploit Impact:

Security Bypass
This vulnerability allows an attacker to bypass certain security restrictions on the system, allowing the attacker to perform certain actions anonymously.

Blind SQL Injection
A remote attacker is able to change the value of the ID parameter of leed/action.php, allowing the attacker to query the database and possibly gain access to sensitive information. This may be leveraged to gain access to other sensitive components of a website or publicly facing infrastructure.

Cross-Site Request Forgery
Exploitation of this vulnerability is possible via forged HTML forms, sent to a victim through a number of different attack vectors (including malicious links). Attackers who successfully exploit this vulnerability may be able to take complete control of the affected device, including the ability to change arbitrary settings, such as the username and password for administering the vulnerable device.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 31980 - Leed Multiple Vulnerabilities (20131218) (Zero-Day)

Mitigation:

No mitigation is currently available.

Links:

CVE(s):