WBCE CMS is Vulnerable to Time-Based Blind SQL Injection through groups[] Parameter

WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls. The vulnerability exists in the admin/users/save.php script, which handles updates to user profiles. The script improperly processes the groups[] parameter sent from the user edit form. This issue is fixed in version 1.6.5.

N/A

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

WBCE CMS SQL注入漏洞

WBCE CMS是WBCE CMS开源的一套基于PHP和MySQL的开源内容管理系统（CMS）。 WBCE CMS 1.6.4及之前版本存在SQL注入漏洞，该漏洞源于groups参数处理不当，可能导致SQL注入攻击。

N/A

N/A