PT-2019-9824 · Empirecms · Empirecms
Publicado
2019-06-07
·
Atualizado
2020-08-24
·
CVE-2018-19462
CVSS v3.1
7.2
Alta
| Vetor | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
EmpireCMS versions through 7.5
Description
The issue allows remote attackers to execute arbitrary PHP code via SQL injection. This is achieved by using a .php filename in a SELECT INTO OUTFILE statement to admin/admin.php.
Recommendations
For EmpireCMS versions through 7.5, consider restricting access to the
DoSql.php file in the admindb directory until a patch is available. As a temporary workaround, avoid using the SELECT INTO OUTFILE statement with .php filenames in the admin/admin.php file.Exploit
Correção
RCE
SQL injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Empirecms