Description

In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses.

Remediation

References

CVE-2017-11174

Related Vulnerabilities

WordPress Plugin Contact Form by WD-responsive drag & drop contact form builder tool SQL Injection (1.7.30)

Joomla! Core 1.0.x Cross-Site Scripting (1.0.0 - 1.0.11)

Seo Panel Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-28420)

Drupal Core 8.7.4 Security Bypass (8.7.4)

WordPress 4.0.x Multiple Vulnerabilities (4.0 - 4.0.31)

Severity

Critical

Classification

CVE-2017-11174 CWE-138 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities