SQL Injection Vulnerability in CSZ CMS 1.2.9 by cskaza
CVE-2021-43701

6.5MEDIUM

Key Information:

Vendor

Cszcms

Status
Csz Cms
Vendor
CVE Published:
29 March 2022

What is CVE-2021-43701?

CSZ CMS version 1.2.9 is susceptible to a Time and Boolean-based Blind SQL Injection within the admin endpoint '/admin/export/getcsv/article_db'. Attackers can exploit this vulnerability via the 'fieldS[]' and 'orderby' parameters, potentially allowing unauthorized access to sensitive database information. Proper input validation and parameter sanitization are recommended to mitigate risks associated with this vulnerability.

References

https://github.com/cskaza/cszcms/issues/31
x_refsource_MISC
https://www.exploit-db.com/exploits/50846
x_refsource_MISC
http://packetstormsecurity.com/files/166535/CSZ-CMS-1.2.9...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2021-43701 : SQL Injection Vulnerability in CSZ CMS 1.2.9 by cskaza