Description

In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses.

Remediation

References

CVE-2017-11174

Related Vulnerabilities

WordPress Plugin Stream Video Player Cross-Site Request Forgery (1.4.0)

WordPress Plugin Simple Fields Local File Inclusion (0.3.5)

osCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-43708)

WordPress Plugin FV Flowplayer Video Player Cross-Site Scripting (7.4.37.727)

MySQL CVE-2021-35602 Vulnerability (CVE-2021-35602)

Severity

Critical

Classification

CVE-2017-11174 CWE-138 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities