SQL Injection Vulnerability Affects InstantCMS v2.16.2
CVE-2024-31212

7.2HIGH

Key Information:

Vendor: InstantCMS
Status: Instantcms
Vendor: CVE Published:; 4 April 2024

What is CVE-2024-31212?

InstantCMS version 2.16.2 contains a SQL injection vulnerability that can be exploited by attackers with administrative privileges. The vulnerability lies within the index_chart_data action where user input is processed without adequate sanitization, allowing for unauthorized SQL code execution. Specifically, the error occurs in the filterFunc function within the core model, which incorporates user input directly into an SQL statement. If the 'period' input is not properly escaped prior to the query formation, it can be manipulated to execute malicious SQL commands, potentially compromising the integrity and security of the database. A patch for this vulnerability has not yet been released.

References

https://github.com/instantsoft/icms2/security/advisories/...

https://github.com/instantsoft/icms2/blob/4691a1524780e74...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2024