PT-2022-20087 · Unknown · Merchandise Online Store

K0Xx11

Published

2022-05-13

Updated

2022-05-23

CVE-2022-30386

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Merchandise Online Store version 1.0

Description The issue concerns SQL Injection. It can be exploited via the /vloggers merch/classes/Master.php API endpoint, specifically when the f parameter is set to delete featured.

Recommendations For Merchandise Online Store version 1.0, consider restricting access to the /vloggers merch/classes/Master.php endpoint or disabling the delete featured function to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2022-30386

Affected Products

Merchandise Online Store

PT-2022-20087 · Unknown · Merchandise Online Store

CVE-2022-30386

Weakness Enumeration

Related Identifiers

Affected Products

References · 4