Description

In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses.

Remediation

References

CVE-2017-11174

Related Vulnerabilities

Microsoft SQL Server Other Vulnerability (CVE-2002-1138)

WordPress Plugin Foliopress WYSIWYG Cross-Site Scripting (2.6.8.4)

Joomla! Core 2.5.x Cross-Site Scripting (2.5.0 - 2.5.1)

WordPress Plugin User Profile Builder-Beautiful User Registration Forms, User Profiles & User Role Editor Security Bypass (3.1.0)

Envoy Proxy Incorrect Authorization Vulnerability (CVE-2021-32777)

Severity

Critical

Classification

CVE-2017-11174 CWE-138 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities