PT-2026-23688 · Unknown · Alive Parish
Published
2026-03-06
·
Updated
2026-03-06
·
CVE-2018-25176
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Alive Parish version 2.0.4
Description
The software contains an SQL injection issue that permits unauthenticated attackers to execute arbitrary SQL queries. This is achieved by injecting malicious code through the
key parameter in the ''/search'' endpoint. Additionally, attackers can upload arbitrary files through the person photo upload functionality to the ''images/uploaded'' directory, potentially leading to remote code execution.Recommendations
Update to a newer version that contains a fix for this vulnerability.
As a temporary workaround, restrict access to the ''/search'' endpoint.
As a temporary workaround, disable the person photo upload functionality.
Fix
RCE
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alive Parish