CVE-2021-47980

Fuel CMS 1.4.13 Blind SQL Injection via col Parameter

CVSS 7.1 HIGHEPSS 0.2%CWE-89

Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Getfuelcms · Fuel CMS

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/50523unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/daylightstudio/FUEL-CMS/archive/1.4.13.zip https://www.exploit-db.com/exploits/50523 https://www.getfuelcms.com/https://www.vulncheck.com/advisories/fuel-cms-blind-sql-injection-via-col-parameter