| CVE-2019-8421 | Maximal damage | 7.2 |
| Difficult to exploit |
| (other affected products) | Published: Sun Feb 17 22:29:00 2019 UTC. Last Modified: Wed Feb 20 15:35:00 2019 UTC |
CPE matches: cpe:2.3:a:bagesoft:bagecms:*:*:*:*:*:*:*:* && versionEndIncluding=3.1.4
Description
upload/protected/modules/admini/views/post/index.php in BageCMS through 3.1.4 allows SQL Injection via the title or titleAlias parameter.
Damage
- Complete loss of protection.
- Access to all information.
- Full Denial Of Service (DoS).
Attack conditions
- Remote attacking is possible through the network but requires the attacker to have administrative privileges.
- No user interaction is required.
- The attack is estimated to have a high success rate, once attempted.
Damage and attack conditions obtained from CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (CVSSv3)
Type of bug(s)
- CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.