← back
CVE-2020-17463

CVE-2020-17463

CVSS 9.8 CRITICALEPSS 90.0%● KEVCWE-89
In short

FUEL CMS 1.4.7 has a critical flaw that allows attackers to inject malicious SQL commands through the 'col' parameter in certain admin pages, potentially giving them access to sensitive database information or full control of the system.

Technical detail

SQL injection vulnerability in FUEL CMS 1.4.7 affecting the 'col' parameter of /pages/items, /permissions/items, and /navigation/items endpoints. An authenticated or unauthenticated attacker can execute arbitrary SQL queries to read, modify, or delete database contents, depending on database permissions and application context.

Summary generated and translated by AI from the official description.
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found1
cve_referencepacketstormsecurity.com/files/158840/Fuel-CMS-1.4.7-SQL-Injection.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/158840/Fuel-CMS-1.4.7-SQL-Injection.htmlhttps://cwe.mitre.org/data/definitions/89.htmlhttps://getfuelcms.comhttps://github.com/daylightstudio/FUEL-CMS/archive/master.ziphttps://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.8https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17463