There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. This occurs because the U.S. state is not validated to be two letters, and the OrderBy field is not validated to be one of LASTNAME, CITY, or STATE.
References
Link | Resource |
---|---|
https://gist.github.com/stacksmasher007/41e946fc9a5a2f0b6950626cc9d43d47 | Exploit Third Party Advisory |
https://gist.github.com/stacksmasher007/41e946fc9a5a2f0b6950626cc9d43d47 | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 06:03
Type | Values Removed | Values Added |
---|---|---|
References | () https://gist.github.com/stacksmasher007/41e946fc9a5a2f0b6950626cc9d43d47 - Exploit, Third Party Advisory |
Information
Published : 2021-04-07 11:15
Updated : 2024-11-21 06:03
NVD link : CVE-2021-30177
Mitre link : CVE-2021-30177
CVE.ORG link : CVE-2021-30177
JSON object : View
Products Affected
phpnuke
- php-nuke
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')