CVE-2018-25176
8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to the images/uploaded directory for remote code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Demo | Alive Parish | 2.0.4 | affected |
Weaknesses
- CWE-352: Cross-Site Request Forgery (CSRF)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://www.exploit-db.com/exploits/45840
- https://www.vulncheck.com/advisories/alive-parish-sql-injection-and-arbitrary-file-upload
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.