vendor:
OneCMS
by:
str0ke
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: OneCMS
Affected Version From: OneCMS v2.4
Affected Version To: OneCMS v2.4
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
2007
OneCMS v2.4 Remote SQL Injection Exploit
OneCMS contains a flaw that allows an attacker to carry out an SQL injection attack. The issue is due to the userreviews.php script not properly sanitizing user-supplied input to the 'abc' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database if magic_quotes_gpc = off.
Mitigation:
Enable magic_quotes_gpc or sanitize user input to prevent SQL injection.