CVE-2023-4974

Academy LMS GET Parameter filter sql injection

CVSS 6.3 MEDIUMEPSS 4.9%CWE-89

Vexday Risk Score

28Bajo

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS 6.3EPSS 4.9%KEV nãoPoC —Nuclei simMetasploit —Patch —

Ciclo de vida

15 sep 2023Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument price_min/price_max leads to sql injection. The attack may be launched remotely. VDB-239750 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Productos afectados

Academy · LMS

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

http://packetstormsecurity.com/files/174681/Academy-LMS-6.2-SQL-Injection.html https://vuldb.com/?ctiid.239750 https://vuldb.com/?id.239750