CVE
============================================
CVE-2017-11174
Credit
============================================
Nguyen Thanh Nguyen
Dates
============================================
July 11, 2017
Vendor
============================================
Product
============================================
XOOPS Core
Versions Affected
============================================
2.5.8.1 and maybe below
Risk / Severity Rating
============================================
Context-Dependent
Vulnerability Description and Impact
============================================
Unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database setting page, related to use of GBK in CHARACTER SET and COLLATE clauses.
Impact: context-dependent, force create database with bad charset and collate and may lead to SQL injection somewhere. Update charset, collate of other database in server.
Solution
============================================
Filtered data before passing to queries.
Pingback: CVE-2017-11174 – 安百科技