CVE-2012-6290

ImageCMS < 4.2 - Authenticated SQL Injection via Admin Search Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-6290. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The advisory describes a SQL injection vulnerability in ImageCMS 4.0.0b, where the 'q' parameter in '/admin/admin_search/' is insufficiently filtered, allowing authenticated administrators to execute arbitrary SQL commands. It also highlights the potential for CSRF exploitation.

Description

SQL injection vulnerability in ImageCMS before 4.2 allows remote authenticated administrators to execute arbitrary SQL commands via the q parameter to admin/admin_search/. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.

Exploits (1)

exploitdb WRITEUP

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/24365

View Code ZIP pw:eip

The advisory describes a SQL injection vulnerability in ImageCMS 4.0.0b, where the 'q' parameter in '/admin/admin_search/' is insufficiently filtered, allowing authenticated administrators to execute arbitrary SQL commands. It also highlights the potential for CSRF exploitation.

Classification

Writeup 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: ImageCMS 4.0.0b and prior

Auth required

Prerequisites: Authenticated administrator access · MySQL database with file write permissions

MITRE ATT&CK