Multiple vulnerabilities in YouPHPTube

Published: 2019-10-18 | Updated: 2019-12-05
Severity High
Patch available YES
Number of vulnerabilities 11
CVE ID CVE-2019-5114
CVE-2019-5123
CVE-2019-5122
CVE-2019-5121
CVE-2019-5120
CVE-2019-5119
CVE-2019-5117
CVE-2019-5116
CVE-2019-5151
CVE-2019-5150
CVE-2019-18662
CWE ID CWE-89
Exploitation vector Network
Public exploit Public exploit code for vulnerability #9 is available.
Public exploit code for vulnerability #10 is available.
Public exploit code for vulnerability #11 is available.
Vulnerable software YouPHPTube Subscribe
Vendor YouPHPTube

Security Advisory

Updated 01.11.2019
Added vulnerabilities #2-10, updated bulletin title.
Updated 04.11.2019
Added vulnerability #11
UPDATED:05.12.2019
Changed bulletin status to Patched.

1) SQL injection

Severity: High

CVSSv3: 8.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-5114

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "comments_id" parameter to the "/objects/commentAddNew.json.php" URL. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

YouPHPTube: 2.2, 2.4, 2.7, 3.4, 3.4.1, 4.0, 4.0.1, 4.0.2, 5.0, 6.5, 7.2, 7.3, 7.4, 7.5, 7.6

CPE External links

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0906

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) SQL injection

Severity: High

CVSSv3: 8.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-5123

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "dir" parameter in the "/objects/pluginSwitch.json.php" URL. A remote authenticated attacker can send a specially crafted web request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

YouPHPTube: 2.2, 2.4, 2.7, 3.4, 3.4.1, 4.0, 4.0.1, 4.0.2, 5.0, 6.5, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7

CPE External links

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0911

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) SQL injection

Severity: High

CVSSv3: 8.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-5122

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "name" parameter in the "/objects/pluginSwitch.json.php" URL. A remote authenticated attacker can send a specially crafted web request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

YouPHPTube: 2.2, 2.4, 2.7, 3.4, 3.4.1, 4.0, 4.0.1, 4.0.2, 5.0, 6.5, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7

CPE External links

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0911

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) SQL injection

Severity: High

CVSSv3: 8.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-5121

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "uuid" parameter in the "/objects/pluginSwitch.json.php" URL. A remote authenticated attacker can send a specially crafted web request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

YouPHPTube: 2.2, 2.4, 2.7, 3.4, 3.4.1, 4.0, 4.0.1, 4.0.2, 5.0, 6.5, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7

CPE External links

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0911

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) SQL injection

Severity: High

CVSSv3: 8.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-5120

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "id" parameter to the "/objects/playlistAddNew.json.php" URL. A remote authenticated attacker can send a specially crafted web request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

YouPHPTube: 2.2, 2.4, 2.7, 3.4, 3.4.1, 4.0, 4.0.1, 4.0.2, 5.0, 6.5, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7

CPE External links

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0910

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) SQL injection

Severity: High

CVSSv3: 8.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-5119

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "user_id" parameter to the "/objects/subscribeNotify.json.php" URL. A remote authenticated attacker can send a specially crafted web request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

YouPHPTube: 2.2, 2.4, 2.7, 3.4, 3.4.1, 4.0, 4.0.1, 4.0.2, 5.0, 6.5, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7

CPE External links

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0909

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) SQL injection

Severity: High

CVSSv3: 8.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-5117

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "user_id" parameter to the "/objects/subscribe.json.php" URL. A remote authenticated attacker can send a specially crafted web request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

YouPHPTube: 2.2, 2.4, 2.7, 3.4, 3.4.1, 4.0, 4.0.1, 4.0.2, 5.0, 6.5, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7

CPE External links

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0908

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) SQL injection

Severity: High

CVSSv3: 8.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-5116

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "categories_id" parameter to the "/objects/videoAddNew.json.php" URL. A remote authenticated attacker can send a specially crafted web request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

YouPHPTube: 2.2, 2.4, 2.7, 3.4, 3.4.1, 4.0, 4.0.1, 4.0.2, 5.0, 6.5, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7

CPE External links

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0907

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) SQL injection

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-5151

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "videoName" parameter to the "getVideo" function in the "/objects/video.php" file. A remote attacker can send a specially crafted HTTP request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

YouPHPTube: 7.7

CPE External links

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0941

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

10) SQL injection

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-5150

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "search" parameter to the "getVideo" function in the "/objects/video.php" file when the "VideoTags" plugin is enabled. A remote attacker can send a specially crafted HTTP request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

YouPHPTube: 7.7

CPE External links

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0940

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

11) SQL injection

Severity: High

CVSSv3: 8.2 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18662

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "live_stream_code" POST parameter to "/plugin/LiveChat/getChat.json.php" file. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability requires the Live Chat plugin to be enabled and may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

YouPHPTube: 7.2, 7.3, 7.4, 7.5, 7.6, 7.7

CPE External links

https://github.com/YouPHPTube/YouPHPTube/issues/2202

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.