#VU8066 SQL injection in SoftCMS - CVE-2017-50137

Cybersecurity Help s.r.o.

Published: 2017-09-01

Vulnerability identifier: #VU8066

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-50137

CWE-ID: CWE-89

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SoftCMS
Web applications / CMS

Vendor: Moxa

Description
The vulnerability allows a remote attacker to execute SQL commands on the target system.

The weakness exists due to improper input validation. A remote attacker can supply a specially crafted parameter value to execute SQL commands on the underlying database and gain access to SoftCMS without knowing the user’s password.

Mitigation
Update to version 1.7.
https://www.moxa.com/support/download.aspx?type=support&id=11362

Vulnerable software versions

SoftCMS: 1.1 - 1.6

External links
https://ics-cert.us-cert.gov/advisories/ICSA-17-243-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SQL injection in Moxa SoftCMS