PT-2018-17509 · Vastal I Tech · Vastal I-Tech Buddy Zone Facebook Clone

Ihsan Sencan

Publicado

2018-01-29

Atualizado

2018-02-14

CVE-2018-6367

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Vastal I-Tech Buddy Zone Facebook Clone version 2.9.9

Description A SQL Injection issue exists, allowing potential exploitation through specific parameters in certain API endpoints. The issue can be exploited via the "request id" parameter in the "/chat im/chat window.php" endpoint or the "category" parameter in the "/search events.php" endpoint.

Recommendations For version 2.9.9, consider restricting access to the "/chat im/chat window.php" and "/search events.php" endpoints until a fix is available, and avoid using the request id and category parameters in these endpoints to minimize the risk of exploitation.

Exploit

Correção

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

CVE-2018-6367

Produtos afetados

Vastal I-Tech Buddy Zone Facebook Clone

PT-2018-17509 · Vastal I Tech · Vastal I-Tech Buddy Zone Facebook Clone

CVE-2018-6367

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 4