Skip to main content

Fuel Cms CVE-2018-16762

CRITICAL
SQL Injection (CWE-89)
2018-09-09 cve@mitre.org
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 09, 2018 - 21:29 nvd
CRITICAL 9.8

DescriptionNVD

FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items.

AnalysisAI

FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items. Affected products include: Thedaylightstudio Fuel Cms.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2021-38727 CRITICAL POC
9.8 Sep 09

FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items. Rated critical severity (CVS

CVE-2020-17463 CRITICAL POC
9.8 Aug 13

FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items. Rat

CVE-2018-16763 CRITICAL POC
9.8 Sep 09

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. Rated c

CVE-2023-33557 HIGH POC
8.8 Jun 09

Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php.

CVE-2021-38723 HIGH POC
8.8 Sep 09

FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items. Rated high severity (CVSS 8

CVE-2019-15229 HIGH POC
8.8 Aug 20

FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. Rated high severity (CVSS 8.8)

CVE-2018-20188 HIGH POC
8.8 Dec 17

FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account. Rated high severity (CVSS 8.8), this vulnerab

CVE-2018-16416 HIGH POC
8.8 Sep 03

Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to ch

CVE-2021-38290 HIGH POC
8.1 Aug 09

A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel

CVE-2021-47980 HIGH POC
7.1 May 16

Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database

CVE-2021-38721 MEDIUM POC
6.5 Sep 09

FUEL CMS 1.5.0 login.php contains a cross-site request forgery (CSRF) vulnerability. Rated medium severity (CVSS 6.5), t

CVE-2020-26167 CRITICAL
9.8 Nov 04

In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any acco

Share

CVE-2018-16762 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy