KARMA 6.0.0 SQL Injection

🗓️ 17 Dec 2018 00:00:00Reported by Ali AbdollahiType

packetstorm🔗 packetstormsecurity.com👁 35 Views

SQL Injection in KARMA 6.0.0 via "ContentPlaceHolder1_uxTitle" componen

Reporter	Title	Published	Views	Family All 6
0day.today	KARMA 6.0.0 SQL Injection Vulnerability	17 Dec 201800:00	–	zdt
CVE	CVE-2018-18399	20 Dec 201822:00	–	cve
Cvelist	CVE-2018-18399	20 Dec 201822:00	–	cvelist
EUVD	EUVD-2018-10128	7 Oct 202500:30	–	euvd
NVD	CVE-2018-18399	20 Dec 201823:29	–	nvd
Prion	Sql injection	20 Dec 201823:29	–	prion

`CWE-89  
Use CVE-2018-18399.  
  
Credit: Ali Abdollahi  
Description:  
SQL injection vulnerability in the "ContentPlaceHolder1_uxTitle" component  
in ArchiveNews.aspx in jco.ir KARMA 6.0.0 allows a remote attacker to  
execute arbitrary SQL commands via the "id" parameter.  
  
Reference:  
> https://jco.ir/  
> http://yon.ir/pHjDN  
  
>  
https://jco.ir/Product/Details/1054/%D8%B3%D8%A7%D9%85%D8%A7%D9%86%D9%87%20%D9%86%D8%B1%D9%85%20%D8%A7%D9%81%D8%B2%D8%A7%D8%B1%DB%8C%20%D9%86%D8%B8%D8%A7%D9%85%20%D9%BE%D8%B0%DB%8C%D8%B1%D8%B4%20%D9%88%20%D8%A8%D8%B1%D8%B1%D8%B3%DB%8C%20%D9%BE%DB%8C%D8%B4%D9%86%D9%87%D8%A7%D8%AF%D9%87%D8%A7%DB%8C%20%DA%A9%D8%A7  
`

17 Dec 2018 00:00Current

0.6Low risk

Vulners AI Score0.6

EPSS0.0277