SQL Injection Vulnerability in FUEL CMS by Daylight Studio
CVE-2020-26045

9.8CRITICAL

Key Information:

Vendor

Thedaylightstudio

Status
Fuel Cms
Vendor
CVE Published:
5 January 2021

What is CVE-2020-26045?

FUEL CMS version 1.4.11 is susceptible to an SQL Injection vulnerability through the 'name' parameter in the /fuel/permissions/create/ endpoint. An attacker exploiting this flaw could potentially gain unauthorized access to the application, manipulate sensitive data, or leverage other vulnerabilities present in the underlying database system. Proper input validation and security best practices are essential to mitigate risks associated with this vulnerability.

References

https://getfuelcms.com
x_refsource_MISC
https://github.com/daylightstudio/FUEL-CMS/releases/tag/1...
x_refsource_MISC
https://github.com/daylightstudio/FUEL-CMS/issues/575
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.