vendor:
4CMS
by:
SecurityFocus
7.5
CVSS
HIGH
SQL-Injection and Local File-Include
89, 94
CWE
Product Name: 4CMS
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009
4CMS Multiple SQL-Injection and Local File-Include Vulnerabilities
4CMS is prone to multiple SQL-injection vulnerabilities and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting the SQL-injection issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The attacker can exploit the local file-include issue to execute arbitrary local script code and obtain sensitive information that may aid in further attacks.
Mitigation:
Input validation should be used to ensure that untrusted data is not used to construct SQL queries that are executed against the database. Additionally, access to sensitive files should be restricted.
