Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items.
AnalysisAI
FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items. Affected products include: Thedaylightstudio Fuel Cms.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items. Rated critical severity (CVS
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items. Rat
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. Rated c
Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php.
FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items. Rated high severity (CVSS 8
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. Rated high severity (CVSS 8.8)
FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account. Rated high severity (CVSS 8.8), this vulnerab
Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to ch
A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel
Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database
FUEL CMS 1.5.0 login.php contains a cross-site request forgery (CSRF) vulnerability. Rated medium severity (CVSS 6.5), t
In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any acco
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today