Skip to main content

Instantcms CVE-2024-31212

HIGH
Improper Input Validation (CWE-20)
2024-04-04 security-advisories@github.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 04, 2024 - 23:15 nvd
HIGH 7.2

DescriptionNVD

InstantCMS is a free and open source content management system. A SQL injection vulnerability affects instantcms v2.16.2 in which an attacker with administrative privileges can cause the application to execute unauthorized SQL code. The vulnerability exists in index_chart_data action, which receives an input from user and passes it unsanitized to the core model filterFunc function that further embeds this data in an SQL statement. This allows attackers to inject unwanted SQL code into the statement. The period should be escaped before inserting it in the query. As of time of publication, a patched version is not available.

AnalysisAI

InstantCMS is a free and open source content management system. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-20. InstantCMS is a free and open source content management system. A SQL injection vulnerability affects instantcms v2.16.2 in which an attacker with administrative privileges can cause the application to execute unauthorized SQL code. The vulnerability exists in index_chart_data action, which receives an input from user and passes it unsanitized to the core model filterFunc function that further embeds this data in an SQL statement. This allows attackers to inject unwanted SQL code into the statement. The period should be escaped before inserting it in the query. As of time of publication, a patched version is not available. Affected products include: Instantcms.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2013-10051 CRITICAL POC
9.3 Aug 01

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() withi

CVE-2023-4188 CRITICAL POC
9.1 Aug 05

SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1-git. Rated critical severity (CVSS 9.1), this vulne

CVE-2013-6839 HIGH POC
7.5 Dec 13

SQL injection vulnerability in InstantSoft InstantCMS 1.10.3 and earlier allows remote attackers to execute arbitrary SQ

CVE-2023-4655 MEDIUM POC
6.1 Aug 31

Cross-site Scripting (XSS) - Reflected in GitHub repository instantsoft/icms2 prior to 2.16.1. Rated medium severity (CV

CVE-2018-14382 MEDIUM POC
6.1 Jul 18

InstantCMS 2.10.1 has /redirect?url= XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable,

CVE-2024-50348 MEDIUM POC
5.4 Oct 29

InstantCMS is a free and open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is

CVE-2024-31213 MEDIUM POC
5.4 Apr 05

InstantCMS is a free and open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is

CVE-2023-4878 MEDIUM POC
5.4 Sep 10

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1-git. Rated medium severity (CV

CVE-2023-4652 MEDIUM POC
5.4 Aug 31

Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git. Rated medium severity (C

CVE-2023-4651 MEDIUM POC
5.4 Aug 31

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1. Rated medium severity (CVSS 5

CVE-2023-4649 MEDIUM POC
5.4 Aug 31

Session Fixation in GitHub repository instantsoft/icms2 prior to 2.16.1. Rated medium severity (CVSS 5.4), this vulnerab

CVE-2023-4704 MEDIUM POC
4.9 Sep 01

External Control of System or Configuration Setting in GitHub repository instantsoft/icms2 prior to 2.16.1-git. Rated me

Share

CVE-2024-31212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy