Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 glFusion 1.3.0 Blind SQL Injection

🗓️ 02 Feb 2026 00:00:00Reported by Omar KurtType 
packetstorm
 packetstorm🔗 packetstorm.news👁 189 Views

Critical blind SQL injection in glFusion CMS 1.3.0 via Media Gallery search parameter cat_id; upgrade to 1.3.1.

Code
glFusion 1.3.0 - Blind SQL Injection
    Advisory ID: RO-13-001
    Severity: Critical
    Vendor: glFusion
    Product: glFusion CMS
    Version: 1.3.0
    
    
    Overview #
    
    A critical Blind SQL Injection vulnerability exists in glFusion CMS version 1.3.0, affecting the Media Gallery search functionality. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands and potentially compromise the entire database.
    
    
    Vulnerability Details #
    
    Affected Versions: 1.3.0 and earlier
    
    Location: /mediagallery/search.php
    
    Affected Parameter: cat_id
    
    Root Cause: The vulnerability exists due to insufficient input validation on the cat_id parameter. User-supplied input is directly concatenated into an SQL query without proper sanitization or parameterized queries, allowing attackers to inject malicious SQL statements.
    
    
    Exploitation Requirements #
    
        No authentication required
        Media Gallery module must be enabled
        Direct access to the search endpoint
    
    Impact #
    
    Remote attackers can exploit this vulnerability to:
    
        Extract sensitive data from the database (usernames, passwords, emails)
        Bypass authentication mechanisms
        Modify or delete database content
        Potentially gain administrative access to the CMS
    
    Proof of Concept #
    
    POST /mediagallery/search.php HTTP/1.1
    Host: target.com
    Content-Type: application/x-www-form-urlencoded
    
    cat_id='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'
    
    Time-based Blind SQL Injection: If the server response is delayed by 25 seconds, the target is vulnerable.
    
    
    Solution #
    
    Upgrade to glFusion version 1.3.1 or later, which includes proper input sanitization for the affected parameter.
    
    
    References #
    
        Invicti Advisory NS-13-009
        Exploit-DB 28185
        Vendor Patch
    
    Timeline:
    
        [2013-09-05] - First contact
        [2013-09-06] - Fix released
        [2013-09-09] - Advisory released
    
    Credits: Omar Kurt

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Feb 2026 00:00Current
6.2Medium risk
Vulners AI Score6.2
glFusion CMSMedia Gallerycat_id parameterblind SQL injectionunauthenticated accessversion 1.3.0upgrade version 1.3.1
189