CVE-2021-41262

SQL Injection in Galette

CVSS 8.8 HIGHEPSS 1.1%CWE-89

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.8EPSS 1.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

16 Dec 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 are subject to SQL injection attacks by users with "member" privilege. Users are advised to upgrade to version 0.9.6 as soon as possible. There are no known workarounds.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

galette · galette

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/galette/galette/commit/8e940641b5ed46c3f471332827df388ea00a85d3 https://github.com/galette/galette/security/advisories/GHSA-936f-xvgq-fg74