CVE-2018-9852

Name of the Vulnerable Software and Affected Versions Gxlcms QY version 1.0.0713

Description The issue allows remote attackers to read data from a database by embedding a FROM clause in a query string within a Home-Hits request. This can be achieved by manipulating the query string, for example, by using sid=user,password%20from%20mysql.user%23 in the request.

Recommendations For Gxlcms QY version 1.0.0713, consider restricting access to the Home-Hits request or validating and sanitizing user input to prevent malicious queries. As a temporary workaround, restrict access to the HitsAction.class.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.