Posted by Portcullis Advisories on Nov 03

Vulnerability title: Multiple Authenticated SQL Injections in EllisLab ExpressionEngine Core
CVE: CVE-2014-5387
Vendor: EllisLab
Product: ExpressionEngine Core
Affected version: Versions earlier than 2.9.0 Fixed version: 2.9.1 Reported by: Jerzy Kramarz and Alex Murillo Moya

Details:

SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could
allow an authenticated attacker to access…