Email Marketer
CVE-2022-44790
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Interspire Email Marketer through 6.5.1 allows SQL Injection via the surveys module. An unauthenticated attacker could successfully perform an attack to extract potentially sensitive information from the database if the survey id exists.
AnalysisAI
Interspire Email Marketer through 6.5.1 allows SQL Injection via the surveys module. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Interspire Email Marketer through 6.5.1 allows SQL Injection via the surveys module. An unauthenticated attacker could successfully perform an attack to extract potentially sensitive information from the database if the survey id exists. Affected products include: Interspire Email Marketer. Version information: through 6.5.1.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
More in Email Marketer
View allThe function in charge to check whether the user is already logged in init.php in Interspire Email Marketer (IEM) prior
Interspire Email Marketer through 6.5.0 allows arbitrary file upload via a surveys_submit.php "create survey and submit
Interspire Email Marketer through 6.1.6 has SQL Injection via an updateblock sortorder request to Dynamiccontenttags.php
Interspire Email Marketer through 6.1.6 has SQL Injection via a deleteblock blockid[] request to Dynamiccontenttags.php.
Interspire Email Marketer through 6.1.6 has SQL Injection via a checkduplicatetags tagname request to Dynamiccontenttags
Interspire Email Marketer through 6.1.6 allows arbitrary file upload via a surveys_submit.php "create survey and submit
Interspire Email Marketer through 6.1.6 has SQL Injection via a tagids Delete action to Dynamiccontenttags.php. Rated hi
admin/functions/remote.php in Interspire Email Marketer through 6.1.6 has Server Side Request Forgery (SSRF) via a what=
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today