SQL Injection Vulnerability in WUZHI CMS Affects Multiple Versions
CVE-2018-17852

9.8CRITICAL

Key Information:

Vendor: Wuzhi Cms Project
Status: Wuzhi Cms
Vendor: CVE Published:; 1 October 2018

🔔 Create Wuzhi Cms Project Vulnerability Alert

What is CVE-2018-17852?

A SQL injection vulnerability exists in WUZHI CMS version 4.1.0, specifically within the coreframe/app/coupon/admin/card.php file. This issue arises when untrusted input is passed via the 'groupname' parameter in the URI /index.php?m=coupon&f=card&v=detail_listing. Attackers can exploit this vulnerability to execute arbitrary SQL commands, potentially compromising the security of the application's database.

References

https://github.com/wuzhicms/wuzhicms/issues/155

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 1, 2018
Vulnerability Reserved
Oct 1, 2018