CVE-2018-17796

wuweiit/mushroom

on github

Published

September 30, 2018

Severity

CVSS v3:

9.8 CRITICAL

CVSS v2:

7.5 HIGH

Description

An issue was discovered in MRCMS (aka mushroom) through 3.1.2. The WebParam.java file directly accepts the FIELD_T parameter in a request and uses it as a hash of SQL statements without filtering, resulting in a SQL injection vulnerability in getChannel() in the ChannelService.java file.

References

https://github.com/wuweiit/mushroom/issues/16

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:mushroom_content_management_system_project:mushroom_content_management_system::::::::	n/a	3.1.2 (including)	*

External Links

NVD - CVE-2018-17796