| Название | https://github.com/TeamEasy/EasyCMS EasyCMS v1.6 https://github.com/TeamEasy/EasyCMS |
|---|
| Описание | There exists a SQL injection vulnerability in the /RbacnodeAction.class.php file of EasyCMS v1.6. This vulnerability arises because the _order parameter in the code is not effectively filtered and is directly concatenated into SQL query statements.
Attackers can capture the relevant POST request packets, insert malicious SQL statement markers into the parameters, launch attacks with tools such as sqlmap, and obtain database permissions via the time-based blind injection method. This vulnerability allows attackers to bypass authentication, steal sensitive data, tamper with database information, and even execute system commands to take control of the server. It will trigger severe security incidents such as data leakage and server compromise, posing an enormous threat to system security and data confidentiality.
|
|---|
| Источник | ⚠️ https://github.com/ueh1013/VULN/issues/19 |
|---|
| Пользователь | zzzh (UID 94773) |
|---|
| Представление | 24.02.2026 04:04 (2 месяцы назад) |
|---|
| Модерация | 08.03.2026 08:03 (12 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 349752 [EasyCMS до 1.6 Request Parameter RbacnodeAction.class.php _order SQL-инъекция] |
|---|
| Баллы | 20 |
|---|