Itech Auction Script 6.49 /mcategory.php mcid Blind sql injection
A vulnerability was found in Itech Auction Script 6.49. It has been classified as critical. This affects an unknown part of the file /mcategory.php. The manipulation of the argument mcid with the input 4' AND 1734=1734 AND 'Ggks'='Ggks
leads to sql injection (Blind). The CWE definition for the vulnerability is CWE-89. The weakness was released 01/30/2017 as ID 96261 as Entry (VulDB). The advisory is shared at vuldb.com.
This vulnerability is uniquely identified as CVE-2017-20138. It is possible to initiate the attack remotely. Technical details are available. There is no exploit available. The price for an exploit might be around USD $0-$5k at the moment. MITRE ATT&CK project uses the attack technique T1505 for this issue.
It is declared as not defined. We expect the 0-day to have been worth approximately $0-$5k.
A possible mitigation has been published even before and not after the disclosure of the vulnerability.