KARMA software version 6.0.0 SQL Injection vulnerability

2018.12.18

Ali Abdollahi (IR)

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2018-18399.

CWE: N/A

SQL injection vulnerability in the  "ContentPlaceHolder1_uxTitle" component in ArchiveNews.aspx in jco.ir KARMA 6.0.0 allows a remote attacker to execute arbitrary SQL commands via the "id" parameter.  

References:

https://jco.ir/

http://yon.ir/pHjDN

https://jco.ir/Product/Details/1054/%D8%B3%D8%A7%D9%85%D8%A7%D9%86%D9%87%20%D9%86%D8%B1%D9%85%20%D8%A7%D9%81%D8%B2%D8%A7%D8%B1%DB%8C%20%D9%86%D8%B8%D8%A7%D9%85%20%D9%BE%D8%B0%DB%8C%D8%B1%D8%B4%20%D9%88%20%D8%A8%D8%B1%D8%B1%D8%B3%DB%8C%20%D9%BE%DB%8C%D8%B4%D9%86%D9%87%D8%A7%D8%AF%D9%87%D8%A7%DB%8C%20%DA%A9%D8%A7

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

KARMA software version 6.0.0 SQL Injection vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.