CVE-2018-25176 Alive — Exploit & Vulnerability Details HIGH

Parameter	Value
CVSS	8.8 (HIGH)
Type	CWE-352 (Cross-Site Request Forgery (CSRF) (Подделка межсайтовых запросов))
Vendor	Alive
Public PoC	Yes

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to the images/uploaded directory for remote code execution.

Attack Parameters

Attack Vector

Network

Атака возможна удалённо

Attack Complexity

Low

Легко эксплуатировать

Attack Requirements

None

Нет дополнительных условий

Privileges Required

None

Права не нужны

User Interaction

None

Не нужно действие пользователя

Impact Assessment

Confidentiality

High

Полная утечка данных

Integrity

Low

Частичная модификация данных

Availability

None

Нет нарушения работы

CVSS Vector v4.0

Weakness Type (CWE)

CWE-352 Cross-Site Request Forgery (CSRF) (Подделка межсайтовых запросов)

References 2

https://www.exploit-db.com/exploits/45840

disclosure@vulncheck.com

https://www.vulncheck.com/advisories/alive-parish-sql-injection-and-arbitrary-f…

disclosure@vulncheck.com

Menu

CVE-2018-25176

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 2

CVE Details

Editor's Choice