CVE-2018-9247: SQL Injection
First published: Wed Apr 04 2018(Updated: )
The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then using INTO OUTFILE with a .php filename.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gxlcms | =1.0.0713 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2018-9247?
CVE-2018-9247 is considered a critical vulnerability due to its potential for remote code execution.
How do I fix CVE-2018-9247?
To fix CVE-2018-9247, upgrade Gxlcms QY to a version that addresses this vulnerability.
What type of attack can be carried out using CVE-2018-9247?
CVE-2018-9247 allows remote attackers to execute arbitrary SQL statements and potentially gain remote code execution.
What software versions are affected by CVE-2018-9247?
CVE-2018-9247 affects Gxlcms QY version 1.0.0713.
Is user authentication necessary to exploit CVE-2018-9247?
No, CVE-2018-9247 can be exploited without user authentication.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/severity
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gxlcms
- canonical/gxlcms
- version/gxlcms/1.0.0713