SQL Injection in Dokeos
|Vulnerable Versions:||2.2 RC2 and probably prior|
|Tested Version:||2.2 RC2|
|Advisory Publication:||October 30, 2013 [without technical details]|
|Vendor Notification:||October 30, 2013|
|Public Disclosure:||November 27, 2013|
|Latest Update:||November 27, 2013|
|Vulnerability Type:||SQL Injection [CWE-89]|
|CVSSv2 Base Score:||7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)|
|Solution Status:||Solution Available|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered vulnerability in Dokeos, which can be exploited to perform SQL Injection attacks.
|Vendor did not reply to 6 notifications by email, 1 notification via twitter, 2 forum threads/direct messages. Currently we are not aware of any official solution for this vulnerability.|
Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23181-patch.zip
| High-Tech Bridge Advisory HTB23181 - https://www.htbridge.com/advisory/HTB23181 - SQL Injection in Dokeos.|
 Dokeos - http://www.dokeos.com/ - Dokeos, the flexible, enterprise-ready e-learning software.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® - a PCI compliant web application penetration test combined with managed vulnerability scan. Configure, schedule, and manage online 24/7.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.