CVE-2020-21809
CRITICAL9.8EPSS 0.59%NukeViet SQL Injection vulnerability
發布日:2022/5/24修改日:2024/4/24
描述
SQL Injection vulnerability in NukeViet CMS module Shops 4.0.29 and 4.3 via the (1) listid parameter in detail.php and the (2) group_price or groupid parameters in search_result.php. ### Fix Implementation: Download the update package corresponding to the NukeViet version you are using, extract and upload to hosting according to NukeViet's structure: For NukeViet 4.0 Official (4.0.29) For NukeViet 4.1 Official (4.1.02) For NukeViet 4.2 (4.2.01) As for NukeViet 4.3, you can update according to the notice in the admin page or see here: https://nukeviet.vn/vi/news/Tin-tuc/thong-bao-phat-hanh-nukeviet-4- 3-08-613.html
受影響套件(1)
- Packagist/nukeviet/nukeviet>= 4.0, < 4.0.29
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-21809
- PATCHhttps://github.com/nukeviet/nukeviet
- WEBhttps://github.com/nukeviet/module-shops/commit/742c0e0f74364f7250c2a69f0a957d4e6317be68
- WEBhttps://nukeviet.vn/vi/news/Tin-an-ninh/huong-dan-fix-loi-bao-mat-nukeviet-4-va-module-shops-612.html
- WEBhttps://whitehub.net/submissions/1517
- WEBhttps://whitehub.net/submissions/1518