| Title | Boyun Boyun PHPCMS <=1.4.20 SQL Injection |
|---|
| Description | A SQL injection vulnerability exists in BoYun PHPCMS (≤1.4.20) within the application/update/controller/Server.php file. The application fails to properly sanitize user-supplied input—such as the phone parameter—before incorporating it directly into SQL queries. This flaw allows remote attackers to manipulate database queries by injecting arbitrary SQL commands, potentially leading to unauthorized data access, modification, or even full database compromise. The vulnerability appears to stem from leftover or legacy test code that was not removed from the production release.
|
|---|
| Source | ⚠️ https://note-hxlab.wetolink.com/share/sEjaSsXWRNz1 |
|---|
| User | YELEIPENG (UID 73615) |
|---|
| Submission | 06/26/2025 07:59 (10 months ago) |
|---|
| Moderation | 07/05/2025 19:39 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 315016 [BoyunCMS up to 1.4.20 Server.php phone sql injection] |
|---|
| Points | 20 |
|---|