CVE-2019-25573

EUVD-2019-19895
Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Attackers can send GET requests to index.php with m=admin, c=posts, a=index parameters and inject SQL code in the cat parameter to manipulate database queries and extract sensitive information.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
VulnCheckCNA
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
njtechgreencms
2.1.0612 ≤
𝑥
≤ 2.3.0603
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.greencms.net/
https://codeload.github.com/GreenCMS/GreenCMS/zip/beta
https://www.exploit-db.com/exploits/46244
https://www.vulncheck.com/advisories/green-cms-2-x-sql-injection-via-cat-parameter