SQL injection in CW Article Attachments

#VU15367 SQL injection in CW Article Attachments

Published: 2018-10-15

Vulnerability identifier: #VU15367

Vulnerability risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CW Article Attachments
Web applications / Modules and components for CMS

Vendor: Joomla!

Description
The disclosed vulnerability allows a remote attacker to execute arbitrary SQL commands in application database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can send a specially crafted request to vulnerable application and execute arbitrary SQL commands in application's database.

Successful exploitation of this vulnerability may allow a remote attacker to read, alter or modify data in database.

Mitigation
Update to version 1.0.7, 2.1.2 or later.

Vulnerable software versions

CW Article Attachments: All versions

External links
http://vel.joomla.org/resolved/2194-cw-article-attachments-free-version-sql-injection
http://vel.joomla.org/resolved/2195-cw-article-attachments-pro-version-sql-injection

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SQL injection in CW Article Attachments component for Joomla!