SQL injection in SoftCMS

#VU8066 SQL injection in SoftCMS

Published: 2017-09-01

Vulnerability identifier: #VU8066

Vulnerability risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-50137

CWE-ID: CWE-89

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SoftCMS
Web applications / CMS

Vendor: Moxa

Description
The vulnerability allows a remote attacker to execute SQL commands on the target system.

The weakness exists due to improper input validation. A remote attacker can supply a specially crafted parameter value to execute SQL commands on the underlying database and gain access to SoftCMS without knowing the user’s password.

Mitigation
Update to version 1.7.
https://www.moxa.com/support/download.aspx?type=support&id=11362

Vulnerable software versions

SoftCMS: 1.1 - 1.6

External links
http://ics-cert.us-cert.gov/advisories/ICSA-17-243-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SQL injection in Moxa SoftCMS