SQL Injection Vulnerability Affects InstantCMS v2.16.2
CVE-2024-31212

7.2HIGH

Key Information:

Vendor: InstantCMS
Status: Instantcms
Vendor: CVE Published:; 4 April 2024

What is CVE-2024-31212?

InstantCMS version 2.16.2 contains a SQL injection vulnerability that can be exploited by attackers with administrative privileges. The vulnerability lies within the index_chart_data action where user input is processed without adequate sanitization, allowing for unauthorized SQL code execution. Specifically, the error occurs in the filterFunc function within the core model, which incorporates user input directly into an SQL statement. If the 'period' input is not properly escaped prior to the query formation, it can be manipulated to execute malicious SQL commands, potentially compromising the integrity and security of the database. A patch for this vulnerability has not yet been released.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/instantsoft/icms2/security/advisories/...

https://github.com/instantsoft/icms2/blob/4691a1524780e74...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 4, 2024

JSON

InstantCMS

What is CVE-2024-31212?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.