{"api_version":"1","generated_at":"2026-04-23T11:30:11+00:00","cve":"CVE-2017-7290","urls":{"html":"https://cve.report/CVE-2017-7290","api":"https://cve.report/api/cve/CVE-2017-7290.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-7290","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-7290"},"summary":{"title":"CVE-2017-7290","description":"SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses \"into outfile\" to create a backdoor program.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2017-03-30 07:59:00","updated_at":"2017-04-03 13:42:00"},"problem_types":["CWE-89"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/97230","name":"97230","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"XOOPS CVE-2017-7290 SQL Injection Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19","name":"https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19","refsource":"MISC","tags":["Exploit","Patch","Third Party Advisory"],"title":"PoC: CVE-2017-7290 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-7290","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7290","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"7290","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xoops","cpe5":"xoops","cpe6":"2.5.7.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7290","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xoops","cpe5":"xoops","cpe6":"2.5.7.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7290","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xoops","cpe5":"xoops","cpe6":"2.5.8.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7290","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xoops","cpe5":"xoops","cpe6":"2.5.7.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7290","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xoops","cpe5":"xoops","cpe6":"2.5.7.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7290","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"xoops","cpe5":"xoops","cpe6":"2.5.8.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2017-7290","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses \"into outfile\" to create a backdoor program."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19","refsource":"MISC","url":"https://gist.github.com/jk1986/3b304ac6b4ae52ae667bba380c2dce19"},{"name":"97230","refsource":"BID","url":"http://www.securityfocus.com/bid/97230"}]}},"nvd":{"publishedDate":"2017-03-30 07:59:00","lastModifiedDate":"2017-04-03 13:42:00","problem_types":["CWE-89"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:xoops:xoops:2.5.7.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:xoops:xoops:2.5.8.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:xoops:xoops:2.5.7.3:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"7290","Ordinal":"104073","Title":"CVE-2017-7290","CVE":"CVE-2017-7290","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"7290","Ordinal":"1","NoteData":"SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses \"into outfile\" to create a backdoor program.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"7290","Ordinal":"2","NoteData":"2017-03-30","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"7290","Ordinal":"3","NoteData":"2017-03-31","Type":"Other","Title":"Modified"}]}}}