PT-2020-20559 · Phpmychat · Phpmychat Plus

J3Rrybl4Nks

Published

2020-02-18

Updated

2020-02-27

CVE-2020-9265

CVSS v3.1

9.3

Critical

Vector

AC:L/AV:N/A:L/C:H/I:N/PR:N/S:C/UI:N

Name of the Vulnerable Software and Affected Versions phpMyChat-Plus version 1.98

Description The issue concerns multiple SQL injections against the Delete User functionality in the deluser.php file, as demonstrated by the pmc username variable.

Recommendations For phpMyChat-Plus version 1.98, consider disabling the Delete User functionality in deluser.php until a patch is available to prevent potential SQL injection attacks. Restrict access to the deluser.php file to minimize the risk of exploitation. Avoid using the pmc username variable in the affected functionality until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-9265

Affected Products

Phpmychat Plus

PT-2020-20559 · Phpmychat · Phpmychat Plus

CVE-2020-9265

Weakness Enumeration

Related Identifiers

Affected Products

References · 3