vendor:
Spaceacre
by:
CoBRa_21
8,8
CVSS
HIGH
SQL/HTML/XSS Injection
89, 79, 79
CWE
Product Name: Spaceacre
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020
Spaceacre (index.php) SQL/HTML/XSS Injection Vulnerability
Spaceacre is vulnerable to SQL/HTML/XSS Injection. An attacker can inject malicious SQL/HTML/XSS code into the vulnerable parameter 'catID' of the index.php file. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code, to execute arbitrary HTML code in the browser of the victim and to manipulate the victim's browser to execute malicious XSS code.
Mitigation:
Input validation should be used to prevent SQL/HTML/XSS injection attacks. The application should also be configured to use a least-privilege database account with limited access to the database.
