CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and execute SYSTEM commands.
References
Link | Resource |
---|---|
https://github.com/rapid7/metasploit-framework/pull/13607 | Patch Third Party Advisory |
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: rapid7
Published: 2020-04-06T00:00:00
Updated: 2020-08-06T15:45:27
Reserved: 2020-01-21T00:00:00
Link: CVE-2020-7356
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-08-06T16:15:13.577
Modified: 2020-08-12T13:39:55.297
Link: CVE-2020-7356
JSON object: View
Redhat Information
No data.
CWE