lmxcms AcquisiAction.class.php update sql injection
CVE-2023-1321

6.3MEDIUM

Key Information:

Vendor

Lmxcms

Status
Lmxcms
Vendor
CVE Published:
10 March 2023

What is CVE-2023-1321?

A SQL injection vulnerability exists in the lmxcms version 1.41, specifically in the update function of the AcquisiAction.class.php file. By manipulating the 'id' argument with a crafted input of -1 and employing a specific payload, an attacker can execute unauthorized SQL queries. This vulnerability allows for remote attacks, potentially compromising the application's database. The exploit has been publicly disclosed, increasing the urgency for affected users to implement suitable security measures and updates.

Affected Version(s)

lmxcms 1.41

References

https://vuldb.com/?id.222727
vdb-entrytechnical-description
https://vuldb.com/?ctiid.222727
signature

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

p1nk (VulDB User)
.
CVE-2023-1321 : lmxcms AcquisiAction.class.php update sql injection