CVE-2018-17566: SQL Injection
First published: Wed Sep 26 2018(Updated: )
In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ThinkPHP ThinkPHP | =5.1.24 | |
| composer/topthink/framework | =5.1.24 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this ThinkPHP vulnerability?
The vulnerability ID of this ThinkPHP vulnerability is CVE-2018-17566.
What is the severity of CVE-2018-17566?
The severity of CVE-2018-17566 is critical with a severity value of 9.8.
How does this ThinkPHP vulnerability affect the software?
In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
How can the SQL injection vulnerability be exploited?
The SQL injection vulnerability in ThinkPHP 5.1.24 can be exploited by controlling the value of the WHERE condition in the delete function.
Is there a fix available for CVE-2018-17566?
Yes, a fix is available for CVE-2018-17566. It is recommended to update to a version of ThinkPHP that is not affected by this vulnerability.
- collector/nvd-index
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-75fm-52mm-q5rm
- alias/CVE-2018-17566
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/author
- agent/references
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/tags
- agent/event
- agent/trending
- vendor/thinkphp
- canonical/thinkphp thinkphp
- version/thinkphp thinkphp/5.1.24
- package-manager/composer