Mingsoft MCMS hasta 5.2.9 /cms/category/list sqlWhere sql injection

ArtículoHistoryDiffjsonxmlCTI

Una vulnerabilidad clasificada como crítica ha sido encontrada en Mingsoft MCMS hasta 5.2.9. Una función desconocida del archivo /cms/category/list es afectada por esta vulnerabilidad. A través de la manipulación del parámetro sqlWhere de un input desconocido se causa una vulnerabilidad de clase sql injection. El advisory puede ser descargado de gitee.com. La vulnerabilidad es identificada como CVE-2022-4375. El ataque puede ser iniciado desde la red. Los detalles técnicos son conocidos. Fue declarado como proof-of-concept. El exploit puede ser descargado de gitee.com. Una actualización a la versión 5.2.10 elimina esta vulnerabilidad. El mejor modo sugerido para mitigar el problema es actualizar a la última versión. Una solución posible ha sido publicada incluso antes y no después de la publicación de la vulnerabilidad.

Campo	2022-12-09 08:05	2023-01-02 09:00	2023-01-02 09:01
vendor	Mingsoft	Mingsoft	Mingsoft
name	MCMS	MCMS	MCMS
version	<=5.2.9	<=5.2.9	<=5.2.9
file	/cms/category/list	/cms/category/list	/cms/category/list
argument	sqlWhere	sqlWhere	sqlWhere
cwe	89 (sql injection)	89 (sql injection)	89 (sql injection)
risk	2	2	2
cvss3_vuldb_av	N	N	N
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	L	L	L
cvss3_vuldb_e	P	P	P
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
url	https://gitee.com/mingSoft/MCMS/issues/I61TG5	https://gitee.com/mingSoft/MCMS/issues/I61TG5	https://gitee.com/mingSoft/MCMS/issues/I61TG5
availability	1	1	1
publicity	1	1	1
url	https://gitee.com/mingSoft/MCMS/issues/I61TG5	https://gitee.com/mingSoft/MCMS/issues/I61TG5	https://gitee.com/mingSoft/MCMS/issues/I61TG5
name	Upgrade	Upgrade	Upgrade
upgrade_version	5.2.10	5.2.10	5.2.10
cve	CVE-2022-4375	CVE-2022-4375	CVE-2022-4375
responsible	VulDB	VulDB	VulDB
date	1670540400 (2022-12-09)	1670540400 (2022-12-09)	1670540400 (2022-12-09)
cvss2_vuldb_av	N	N	N
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	P	P	P
cvss2_vuldb_e	POC	POC	POC
cvss2_vuldb_rc	C	C	C
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_au	S	S	S
cvss3_vuldb_pr	L	L	L
cvss2_vuldb_basescore	6.5	6.5	6.5
cvss2_vuldb_tempscore	5.1	5.1	5.1
cvss3_vuldb_basescore	6.3	6.3	6.3
cvss3_vuldb_tempscore	5.7	5.7	5.7
cvss3_meta_basescore	6.3	6.3	7.5
cvss3_meta_tempscore	5.7	5.7	7.3
price_0day	$0-$5k	$0-$5k	$0-$5k
cve_assigned		1670540400 (2022-12-09)	1670540400 (2022-12-09)
cve_nvd_summary		A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.2.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215196.	A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.2.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215196.
cvss3_nvd_av			N
cvss3_nvd_ac			L
cvss3_nvd_pr			N
cvss3_nvd_ui			N
cvss3_nvd_s			U
cvss3_nvd_c			H
cvss3_nvd_i			H
cvss3_nvd_a			H
cvss3_cna_av			N
cvss3_cna_ac			L
cvss3_cna_pr			L
cvss3_cna_ui			N
cvss3_cna_s			U
cvss3_cna_c			L
cvss3_cna_i			L
cvss3_cna_a			L
cve_cna			VulDB
cvss3_nvd_basescore			9.8
cvss3_cna_basescore			6.3

◂ Anterior Visión De Conjunto Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!