Description

SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program.

Remediation

References

CVE-2017-7290

Related Vulnerabilities

MySQL CVE-2022-21312 Vulnerability (CVE-2022-21312)

Magento Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-7942)

PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2007-4850)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-4938)

WordPress Plugin Active Directory Integration/LDAP Integration Cross-Site Scripting (3.6.94)

Severity

High

Classification

CVE-2017-7290 CWE-138 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities