PT-2020-16264 · Websitebaker · Websitebaker

Roel Van Beurden

Published

2020-10-01

Updated

2020-10-05

CVE-2020-25990

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WebsiteBaker version 2.12.2

Description The issue allows SQL Injection via the display name parameter in the "/websitebaker/admin/preferences/save.php" API endpoint. This could enable an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Recommendations For version 2.12.2, avoid using the display name parameter in the "/websitebaker/admin/preferences/save.php" API endpoint until the issue is resolved. Consider restricting access to this endpoint to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-25990

Affected Products

Websitebaker

PT-2020-16264 · Websitebaker · Websitebaker

CVE-2020-25990

Weakness Enumeration

Related Identifiers

Affected Products

References · 4