PT-2019-17706 · Earclink · Earclink Espcms-P8

Published

2019-01-07

Updated

2019-02-14

CVE-2019-5488

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions EARCLINK ESPCMS-P8

Description The issue concerns a SQL injection in the install pack/index.php ac=Member&at=verifyAccount endpoint, specifically in the verify key parameter. This could potentially allow an attacker to retrieve sensitive information from the ESPCMS database through the espcms db.php file.

Recommendations For EARCLINK ESPCMS-P8, consider restricting access to the install pack/index.php endpoint, specifically the ac=Member&at=verifyAccount section, to minimize the risk of exploitation. Avoid using the verify key parameter in this endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2019-5488

Affected Products

Earclink Espcms-P8

PT-2019-17706 · Earclink · Earclink Espcms-P8

CVE-2019-5488

Weakness Enumeration

Related Identifiers

Affected Products

References · 2