Vulnerability CVE-2022-26986


Published: 2022-04-05

Description:
SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Authenticated Sql Injection in ImpressCMS v1.4.3
Sarang Tumne
12.10.2022

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:M/Au:S/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
8.5/10
10/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Impresscms -> Impresscms 

 References:
https://github.com/sartlabs/0days/blob/main/ImpressCMS1.4.3/Exploit.txt

Copyright 2024, cxsecurity.com

 

Back to Top