DoceboLMS Multiple Arbitrary File Upload and SQL Injection Vulnerabilities

Bugtraq ID:	50998
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Dec 09 2011 12:00AM
Updated:	Dec 09 2011 12:00AM
Credit:	mr_me::rwx kru
Vulnerable:	Docebo DoceboLMS 4.0.4 Docebo DoceboLMS 3.0.4 Docebo DoceboLMS 3.0.3 Docebo DoceboLMS 3.0 Docebo DoceboLMS 2.0.5 Docebo DoceboLMS 2.0.4 Docebo DoceboLMS 2.0.3 Docebo DoceboLMS 2.0.2
Not Vulnerable:

DoceboLMS Multiple Arbitrary File Upload and SQL Injection Vulnerabilities

DoceboLMS is prone to multiple arbitrary file upload and SQL-injection vulnerabilities.

Exploiting these issues could allow an attacker to upload arbitrary files, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

DoceboLMS 4.0.4 and prior versions are vulnerable.

DoceboLMS Multiple Arbitrary File Upload and SQL Injection Vulnerabilities

The following exploit is available:

• /data/vulnerabilities/exploits/50998.php

DoceboLMS Multiple Arbitrary File Upload and SQL Injection Vulnerabilities

Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]

DoceboLMS Multiple Arbitrary File Upload and SQL Injection Vulnerabilities

References:

• Docebo Homepage (Docebo)