- The eFront learning management system suffers from two vulnerabilities, first of which is a PHP deserialization code execution vulnerability.
- The second vulnerability is the unauthenticated SQL injection vulnerability that exists in Epignosis eFront LMS v5.2.12, and earlier.
What’s the matter?
Researchers from Cisco Talos uncovered two vulnerabilities in Epigosis eFront LMS. The vulnerabilities could allow an attacker to remotely execute code and perform SQL injections.
Remote Code Execution vulnerability
- The first vulnerability is the PHP deserialization code execution vulnerability.
- The vulnerability tracked as CVE-2019-5069 exists in Epignosis eFront LMS v5.2.12.
- The security flaw has a severity score of 8.8 and can be exploited with a specially crafted web request that triggers the vulnerability, resulting in the PHP code being executed.
SQL Injection vulnerability
- The second vulnerability is the unauthenticated SQL injection vulnerability that exists in Epignosis eFront LMS v5.2.12, and earlier.
- The vulnerability tracked as CVE-2019-5070 has a CVSS score of 6.5.
- Successful exploitation of this vulnerability requires a specially crafted web request to the login page to cause SQL injections, resulting in data compromise.
Patch available
Cisco Talos researchers disclosed these two vulnerabilities to Epignosis on July 29, 2019. Epignois acknowledged the issue and announced to fix the issue on August 13, 2019.
On August 30, 2019, Epignosis patched the vulnerabilities in its latest version eFront v 5.2.13.
Publisher
/https://cystory-images.s3.amazonaws.com/shutterstock_328650788.jpg)
/https://cystory-images.s3.amazonaws.com/shutterstock_350982164.jpg)
