CVE-2018-19897

Name of the Vulnerable Software and Affected Versions ThinkCMF version X2.2.2

Description The issue concerns a SQL Injection vulnerability via the listorders() function in AdminbaseController.class.php. This can be exploited with manager privilege through the listorders[key][1] parameter in a "Link listorders" action.

Recommendations For ThinkCMF version X2.2.2, as a temporary workaround, consider disabling the listorders() function until a patch is available. Restrict access to the listorders action to minimize the risk of exploitation. Avoid using the listorders[key][1] parameter in the affected Link listorders action until the issue is resolved.