Mingsoft MCMS up to 5.2.9 /cms/category/list sqlWhere sql injection

A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. Using CWE to declare the problem leads to CWE-89. The weakness was released 12/09/2022. The advisory is shared for download at gitee.com. This vulnerability is traded as CVE-2022-4375. It is possible to launch the attack remotely. Technical details are available. Furthermore, there is an exploit available. The exploit has been disclosed to the public and may be used. The current price for an exploit might be approx. USD $0-$5k at the moment. The MITRE ATT&CK project declares the attack technique as T1505. It is declared as proof-of-concept. The exploit is shared for download at gitee.com. As 0-day the estimated underground price was around $0-$5k. Upgrading to version 5.2.10 is able to address this issue. It is recommended to upgrade the affected component.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

VulDB Mod Team66

Field

cvss3_meta_tempscore2
cvss3_meta_basescore2
cvss3_cna_basescore1
cvss3_nvd_basescore1
cve_cna1

Commit Conf

90%37
70%19
50%10

Approve Conf

90%37
70%19
80%10

66 Commits

IDCommitedUserFieldChangeRemarksModerationResponseC
1346731501/02/2023
 VulDB…
cvss3_cna_basescore6.3see CVSS documentation01/02/2023accepted
90
1346731401/02/2023
 VulDB…
cvss3_nvd_basescore9.8nist.gov01/02/2023accepted
90
1346731301/02/2023
 VulDB…
cvss3_meta_tempscore7.3see CVSS documentation01/02/2023accepted
90
1346731201/02/2023
 VulDB…
cvss3_meta_basescore7.5see CVSS documentation01/02/2023accepted
90
1346731101/02/2023
 VulDB…
cve_cnaVulDBnvd.nist.gov01/02/2023accepted
70
1346731001/02/2023
 VulDB…
cvss3_cna_aLnvd.nist.gov01/02/2023accepted
70
1346730901/02/2023
 VulDB…
cvss3_cna_iLnvd.nist.gov01/02/2023accepted
70
1346730801/02/2023
 VulDB…
cvss3_cna_cLnvd.nist.gov01/02/2023accepted
70
1346730701/02/2023
 VulDB…
cvss3_cna_sUnvd.nist.gov01/02/2023accepted
70
1346730601/02/2023
 VulDB…
cvss3_cna_uiNnvd.nist.gov01/02/2023accepted
70
1346730501/02/2023
 VulDB…
cvss3_cna_prLnvd.nist.gov01/02/2023accepted
70
1346730401/02/2023
 VulDB…
cvss3_cna_acLnvd.nist.gov01/02/2023accepted
70
1346730301/02/2023
 VulDB…
cvss3_cna_avNnvd.nist.gov01/02/2023accepted
70
1346730201/02/2023
 VulDB…
cvss3_nvd_aHnvd.nist.gov01/02/2023accepted
70
1346730101/02/2023
 VulDB…
cvss3_nvd_iHnvd.nist.gov01/02/2023accepted
70
1346730001/02/2023
 VulDB…
cvss3_nvd_cHnvd.nist.gov01/02/2023accepted
70
1346729901/02/2023
 VulDB…
cvss3_nvd_sUnvd.nist.gov01/02/2023accepted
70
1346729801/02/2023
 VulDB…
cvss3_nvd_uiNnvd.nist.gov01/02/2023accepted
70
1346729701/02/2023
 VulDB…
cvss3_nvd_prNnvd.nist.gov01/02/2023accepted
70
1346729601/02/2023
 VulDB…
cvss3_nvd_acLnvd.nist.gov01/02/2023accepted
70

46 more entries are not shown

Interested in the pricing of exploits?

See the underground prices here!