PT-2019-18272 · Phpwind · Phpwind
Publicado
2019-01-23
·
Atualizado
2019-01-25
·
CVE-2019-6691
CVSS v3.1
7.2
Alta
| Vetor | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
phpwind version 9.0.2.170426
Description
The issue allows SQL Injection via the
admin.php?m=backup&c=backup&a=doback endpoint, specifically through the tabledb[] parameter, related to the "--backup database" option.Recommendations
For phpwind version 9.0.2.170426, avoid using the
tabledb[] parameter in the admin.php?m=backup&c=backup&a=doback endpoint until the issue is resolved. Consider restricting access to the backup functionality to minimize the risk of exploitation.Exploit
Correção
SQL injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Phpwind