CVE-2020-21808

Name of the Vulnerable Software and Affected Versions NukeViet CMS versions 4.0.10 through 4.3.07

Description The issue is related to a SQL Injection vulnerability. It is associated with the lack of protection for the SQL query structure in the addtotopics.php script of the built-in News module. Exploitation of this issue may allow a remote attacker to execute arbitrary SQL code via the topicsid parameter in the addtotopics.php script, located in modules/news/admin/addtotopics.php.

Recommendations For versions 4.0.10 through 4.3.07, consider disabling the addtotopics.php script in the News module until a patch is available. Restrict access to the modules/news/admin/addtotopics.php endpoint to minimize the risk of exploitation. Avoid using the topicsid parameter in the affected API endpoint until the issue is resolved.