SQL Injection Vulnerability in FUEL CMS by Daylight Studio
CVE-2021-38727

9.8CRITICAL

Key Information:

Vendor

Thedaylightstudio

Status
Fuel Cms
Vendor
CVE Published:
9 September 2021

What is CVE-2021-38727?

The FUEL CMS version 1.5.0 is susceptible to SQL Injection through the 'col' parameter in the fuel/logs/items endpoint. This vulnerability can allow attackers to manipulate SQL queries, potentially leading to unauthorized access to sensitive data in the database, and can pose significant risks to the integrity and confidentiality of user information. It is crucial for users of FUEL CMS to apply necessary patches and updates to mitigate this risk. Refer to the official GitHub issue and security advisory for further details on remediation.

References

https://github.com/daylightstudio/FUEL-CMS/issues/582
x_refsource_MISC
https://www.nu11secur1ty.com/2021/10/cve-2021-38727.html
x_refsource_MISC
https://streamable.com/lxw3ln
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.