CVE-2019-6127

Name of the Vulnerable Software and Affected Versions XiaoCms version 20141229

Description An issue in XiaoCms allows SQL injection via the "table[]" parameter in the admin/index.php endpoint, specifically "/admin/index.php?c=database table[]". This can lead to PHP code execution by using "INTO OUTFILE" with a .php filename.

Recommendations For XiaoCms version 20141229, as a temporary workaround, consider restricting access to the /admin/index.php?c=database endpoint to minimize the risk of exploitation. Avoid using the table[] parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.