Description
Bo-blog Wind through 1.6.0-r allows SQL Injection via the admin.php/comments/batchdel/ comID parameter because this parameter is mishandled in the mode/admin.mode.php delBlockedBatch function.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://c3tsec.wordpress.com/2019/01/12/sql-injection-in-bo-blog-wind-cms/
Scores
CVSS v3
9.8
EPSS
0.0150
EPSS Percentile
71.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
bo-blog/bw
< 1.6.0-r
Published
Feb 07, 2019
Tracked Since
Feb 18, 2026