ГлавнаяУязвимости → CVE-2018-25392
7.1высокая

CVE-2018-25392

Описание

MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names.

CVSS
Балл7.1 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Источники
http://demo.maxonerp.com/http://www.talagasoft.comhttps://www.exploit-db.com/exploits/45605https://www.vulncheck.com/advisories/maxon-erp-software-8-x-9-x-sql-injection-via-nomor-parameter