CVE-2010-2672

critical

Description

Multiple SQL injection vulnerabilities in eZ Publish 3.7.0 through 4.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3) SearchContentClassAttributeID parameter to the advancedsearch feature.

References

http://www.siberas.de/advisories/advisories_2010.html

http://www.securityfocus.com/bid/38985

http://secunia.com/advisories/39101

http://osvdb.org/63238

http://osvdb.org/63237

http://ez.no/de/developer/security/security_advisories/ez_publish_4_2/ezsa_2010_001_remote_vulnerability_in_ez_search

http://ez.no/de/content/download/321166/3192253/version/1/file/16398.diff

http://ez.no/de/content/download/321165/3192248/version/1/file/16397.diff

Details

Source: Mitre, NVD

Published: 2010-07-08

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00836