CVE-2024-36801

Name of the Vulnerable Software and Affected Versions SEMCMS version 4.8

Description A SQL injection issue allows a remote attacker to obtain sensitive information via the lgid parameter in "Download.php". The vulnerability is related to the lack of protection for the SQL query structure, which can be exploited to execute arbitrary SQL queries and gain unauthorized access to protected information.

Recommendations For SEMCMS version 4.8, consider restricting access to the "Download.php" file or the lgid parameter to minimize the risk of exploitation until a patch is available. Avoid using the lgid parameter in the affected API endpoint until the issue is resolved.