| शीर्षक | eyoucms EyouCMS <=1.7.9 SQL Injection |
|---|
| विवरण | A vulnerability was found in EyouCMS up to 1.7.9. It affects the function GetSortData of the file application/common.php. The manipulation of the argument sort_asc leads to SQL injection. The GetSortData() function accepts a user-supplied sort_asc parameter from the HTTP request and directly concatenates it into a SQL ORDER BY clause without any validation or sanitization. An unauthenticated remote attacker can exploit this via crafted requests to endpoints such as /index.php?m=home&c=Lists&a=index&tid=2&sort=new&sort_asc=PAYLOAD to perform time-based blind SQL injection, extracting arbitrary database contents including administrator credentials. The attack can be initiated remotely and does not require authentication. The exploit has been disclosed to the public and may be used.
|
|---|
| स्रोत | ⚠️ https://gitee.com/weng_xianhu/eyoucms/issues/IILFPE |
|---|
| उपयोगकर्ता | anch0r (UID 96691) |
|---|
| सबमिशन | 12/04/2026 02:51 PM (2 महीनों पहले) |
|---|
| संयम | 29/04/2026 11:35 AM (17 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360114 [EyouCMS तक 1.7.9 application/common.php GetSortData sort_asc SQL इंजेक्शन] |
|---|
| अंक | 20 |
|---|