CVE-2018-17796

Name of the Vulnerable Software and Affected Versions MRCMS versions through 3.1.2

Description An issue was discovered where the WebParam.java file directly accepts the FIELD T parameter in a request and uses it as a hash of SQL statements without filtering. This results in a SQL injection issue in the getChannel() function in the ChannelService.java file.

Recommendations For versions through 3.1.2, as a temporary workaround, consider filtering or validating the FIELD T parameter to prevent SQL injection attacks. Restrict access to the ChannelService.java file to minimize the risk of exploitation.