PT-2021-10118 · Unknown · Phpshe Mall System

Si1Ence

Published

2021-04-28

Updated

2021-05-05

CVE-2020-18020

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: PHPSHE Mall System version 1.7

Description: The issue allows remote attackers to execute arbitrary code by injecting SQL commands into the user phone parameter of a crafted HTTP request to the "admin.php" component. This enables attackers to manipulate the database and potentially gain unauthorized access.

Recommendations: For PHPSHE Mall System version 1.7, consider restricting access to the "admin.php" component and avoid using the user phone parameter in crafted HTTP requests until a patch is available. As a temporary workaround, restrict the input allowed for the user phone parameter to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-18020

Affected Products

Phpshe Mall System

PT-2021-10118 · Unknown · Phpshe Mall System

CVE-2020-18020

Weakness Enumeration

Related Identifiers

Affected Products

References · 4