logo_clicknbuy.png

CVE-2014-125123 – Kloxo SQL Injection Vulnerability

The following table lists the changes that have been made to the
CVE-2014-125123 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by [email protected]

    Jul. 31, 2025

    Action Type Old Value New Value
    Added Description An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version 6.1.12. The flaw resides in the login-name parameter passed to lbin/webcommand.php, which fails to properly sanitize input, allowing an attacker to extract the administrator’s password from the backend database. After recovering valid credentials, the attacker can authenticate to the Kloxo control panel and leverage the Command Center feature (display.php) to execute arbitrary operating system commands as root on the underlying host system. This vulnerability was reported to be exploited in the wild in January 2014.
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-89
    Added Reference https://github.com/lxcenter/kloxo
    Added Reference https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/kloxo_sqli.rb
    Added Reference https://web.archive.org/web/20140301125222/http://www.webhostingtalk.com/showthread.php?p=8996984
    Added Reference https://web.archive.org/web/20141118054734/https://vpsboard.com/topic/3384-kloxo-installations-compromised/
    Added Reference https://www.exploit-db.com/exploits/31577
    Added Reference https://www.vulncheck.com/advisories/kloxo-unauth-sqli-rce
Share the Post:

Related Posts