CVE-2017-16896

NameCVE-2017-16896
DescriptionA SQL injection in classes/handler/public.php in the forgotpass component of Tiny Tiny RSS 17.4 exists via the login parameter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs882543

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tt-rss (PTS)sid17.1+git20170410+dfsg-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tt-rsssource(unstable)(unfixed)high882543

Notes

https://discourse.tt-rss.org/t/sql-injection-in-forgotpass-fixed/669
https://git.tt-rss.org/git/tt-rss/commit/2352c320c2ed34ec7df1ad22f0c55a1b26489815

Search for package or bug name: Reporting problems