ГлавнаяУязвимости → CVE-2020-37004
8.2высокая

CVE-2020-37004

Описание

The Ultimate Project Manager CRM PRO version 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to progressively guess and retrieve user credentials through boolean-based inference techniques.

CVSS
Балл8.2 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Источники
https://ultimatepro.codexcube.com/https://www.exploit-db.com/exploits/48912https://www.vulncheck.com/advisories/ultimate-project-manager-crm-pro-sqli-credentials-leakage