PT-2018-17509 · Vastal I Tech · Vastal I-Tech Buddy Zone Facebook Clone

Ihsan Sencan

Published

2018-01-29

Updated

2018-02-14

CVE-2018-6367

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Vastal I-Tech Buddy Zone Facebook Clone version 2.9.9

Description A SQL Injection issue exists, allowing potential exploitation through specific parameters in certain API endpoints. The issue can be exploited via the "request id" parameter in the "/chat im/chat window.php" endpoint or the "category" parameter in the "/search events.php" endpoint.

Recommendations For version 2.9.9, consider restricting access to the "/chat im/chat window.php" and "/search events.php" endpoints until a fix is available, and avoid using the request id and category parameters in these endpoints to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2018-6367

Affected Products

Vastal I-Tech Buddy Zone Facebook Clone

PT-2018-17509 · Vastal I Tech · Vastal I-Tech Buddy Zone Facebook Clone

CVE-2018-6367

Weakness Enumeration

Related Identifiers

Affected Products

References · 4