vendor:
Portal+ CMS
by:
Felipe Andrian Peixoto
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Portal+ CMS
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Windows 7 and Gnu/Linux
2019
Sql Injection on microASP (Portal+) CMS
A SQL injection vulnerability exists in microASP (Portal+) CMS, which allows an attacker to execute arbitrary SQL commands on the underlying database. The vulnerability is due to improper input validation of the 'explode_tree' parameter in the 'pagina.phtml' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious SQL statements to the vulnerable script. Successful exploitation of this vulnerability can allow an attacker to gain access to sensitive information stored in the database, modify or delete data, or execute arbitrary system commands on the underlying operating system.
Mitigation:
Input validation should be performed on all user-supplied data to ensure that only expected data is accepted. Additionally, parameterized queries should be used to prevent SQL injection attacks.
