vendor:
MDPro
by:
XaDoS
7,5
CVSS
HIGH
Blind $QL Injection (pollID)
89
CWE
Product Name: MDPro
Affected Version From: MDPro v 1.083.x
Affected Version To: MDPro v 1.083.x
Patch Exists: NO
Related CWE: N/A
CPE: a:maxdev:mdpro
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009
Information_schema
The vulnerability exists in the pollID parameter of the modules.php file. An attacker can inject arbitrary SQL queries in the pollID parameter and execute them in the backend database. For example, an attacker can inject a substring query to extract the version of the backend database.
Mitigation:
Input validation should be done on the pollID parameter to prevent SQL injection attacks.