Open
Description
- VULNERABLE: SQL injection vulnerability exists in CuppaCMS. An attacker can inject query in
“/administrator/alerts/alertLightbox.php" via the "params%5Bgroup%5D=2" parameters. - Github: https://github.com/JiuBanSec
- Product: CuppaCMS
- Impact: Allow attacker inject query and access , disclosure of all data on the system.
- Payload:
params%5Bgroup%5D=2'+UNION+ALL+SELECT+concat('\n','database:',database(),'\n','user:',user(),'\n'),null--+- - Proof of concept (POC):

- You can see injection code query into params%5Bgroup%5D parameters as show below
- You see database and user as show below in the response

Metadata
Assignees
Labels
No labels