PT-2018-16207 · Oturia · Oturia Smart Google Code Inserter

Benjamin Lim

Published

2018-01-01

Updated

2018-01-16

CVE-2018-3811

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Oturia Smart Google Code Inserter plugin versions prior to 3.5

Description The issue allows unauthenticated attackers to execute SQL queries in the context of the web server due to a lack of prepared statements and sanitization of the oId variable in the saveGoogleAdWords() function.

Recommendations For Oturia Smart Google Code Inserter plugin versions prior to 3.5, update to version 3.5 or later to resolve the issue. As a temporary workaround, consider disabling the saveGoogleAdWords() function until a patch is available. Restrict access to the smartgooglecode.php file to minimize the risk of exploitation. Avoid using the oId variable in the affected SQL query until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2018-3811

Affected Products

Oturia Smart Google Code Inserter

PT-2018-16207 · Oturia · Oturia Smart Google Code Inserter

CVE-2018-3811

Weakness Enumeration

Related Identifiers

Affected Products

References · 6