CVE-2019-16644

Name of the Vulnerable Software and Affected Versions TuziCMS version 2.0.6

Description The issue concerns SQL injection in TuziCMS. Specifically, it affects the AppHomeControllerZhuantiController.class.php file. The SQL injection vulnerability is exploitable via the "index.php/Zhuanti/group?id=" substring, which suggests it can be triggered by manipulating the id parameter in a specific API endpoint, namely "index.php/Zhuanti/group?id=".

Recommendations For TuziCMS version 2.0.6, as a temporary workaround, consider restricting access to the id parameter in the "index.php/Zhuanti/group?id=" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.