SQL Injection in Osclass
|Vulnerable Versions:||3.5.9 and probably prior|
|Advisory Publication:||December 21, 2015 [without technical details]|
|Vendor Notification:||December 21, 2015|
|Vendor Fix:||January 25, 2016|
|Public Disclosure:||February 17, 2016|
|Latest Update:||January 25, 2016|
|Vulnerability Type:||SQL Injection [CWE-89]|
|CVSSv3 Base Score:||7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered a high-risk SQL injection vulnerability in Osclass, a popular web-based software for building customized classifieds marketplace. The vulnerability can be exploited to gain access to potentially sensitive information in the application database and even to compromise the entire website.
|Update to Osclass 3.6.0|
| High-Tech Bridge Advisory HTB23287 - https://www.immuniweb.com/advisory/HTB23287 - SQL Injection in Osclass|
 Osclass - https://osclass.org/ - Osclass is a php script that allows you to quickly create and manage your own free classifieds site.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
 ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.