Sign In
Advisories

CSZCMS 1.3.0 Authenticated SQL Injection via Members View Endpoint

Go Back
severity
critical
date
Affecting

  • CSZCMS 1.3.0

CWE
  • CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS
9.3
CVSS V4 Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Credit
Abdulaziz Almetairy
Description
CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL injection attacks and extract database information.