CVE-2018-6893

Name of the Vulnerable Software and Affected Versions FineCms version 5.2.0

Description The issue concerns SQL Injection in the FineCms software. Specifically, the "controllers/member/Api.php" file is affected when a request is made with certain parameters, including 's=member,c=api,m=checktitle', and the module parameter contains a SQL statement. The lack of effective filtering for this parameter allows for potential SQL Injection attacks.

Recommendations For FineCms version 5.2.0, as a temporary workaround, consider restricting access to the "controllers/member/Api.php" file or disabling the checktitle method until a patch is available. Avoid using the module parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.