vendor:
Form Maker
by:
Ihsan Sencan
9.8
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: Form Maker
Affected Version From: 3.6.12
Affected Version To: 3.6.12
Patch Exists: YES
Related CWE: CVE-2018-5991
CPE: a:web-dorado:form_maker:3.6.12
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: WiN7_x64/KaLiLinuX_x64
2018
Joomla! Component Form Maker 3.6.12 – SQL Injection
Joomla! Component Form Maker 3.6.12 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to sensitive information stored in the database. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'id' and 'from' parameters of the 'index.php' script. An attacker can send a maliciously crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in the context of the web application. This can allow the attacker to access or modify data in the back-end database.
Mitigation:
Input validation should be used to ensure that untrusted data is not used to construct SQL commands that are passed to the database. It is also recommended to use parameterized queries to prevent SQL injection.