CVE-2018-25203

Name of the Vulnerable Software and Affected Versions Online Store System CMS version 1.0

Description An SQL injection allows unauthenticated attackers to manipulate database queries. This is achieved by sending POST requests to the 'index.php' endpoint with the action parameter set to 'clientaccess', injecting SQL code into the email parameter. Attackers can use boolean-based blind or time-based blind SQL injection—techniques that infer data by observing the server's response or response time—to extract sensitive information from the database.

Recommendations As a temporary workaround, avoid using the email parameter in the 'index.php' endpoint when the action is set to 'clientaccess' until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.