CMS ISWEB version 3.5.3 suffers from a remote SQL injection vulnerability.
2909ddd6bab3f45cee745aae9cdef49e2d801722783ac5bb7a6a1cdd2055a743
[Description]
CMS ISWEB 3.5.3 is vulnerable to multiple SQL injection flaws. An attacker
can inject malicious queries into the application and obtain
sensitive information.
------------------------------------------
[Additional Information]
PoC Prints: https://imgur.com/a/buXJJKC
?id=1'
------------------------------------------
[Vulnerability Type]
SQL Injection
------------------------------------------
[Vendor of Product]
http://www.isweb.it CMS ISWEB 3.5.3
------------------------------------------
[CVE Name]
CVE-2018-14956
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[CVE Impact Other]
The attacker can access the entire database, get shell and remote code execution.
------------------------------------------
[Reference]
https://www.owasp.org/index.php/SQL_Injection
------------------------------------------
[Discoverer]
Thiago Sena & Rafael Fontes Souza & Occasio Security