Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SPIP interface_traduction_objets < 2.2.2 Authenticated SQL Injection
Vulnerability Description
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly into a SQL WHERE clause in a call to sql_getfetsel() without input validation or parameterization. An authenticated attacker with editor-level privileges can inject crafted SQL expressions into the id_parent parameter to manipulate the backend query. Successful exploitation can result in disclosure or modification of database contents and may lead to denial of service depending on the database configuration and privileges.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
SPIP interface_traduction_objets 安全漏洞
Vulnerability Description
SPIP interface_traduction_objets是SPIP公司的一个扩展插件。 SPIP interface_traduction_objets 2.2.2之前版本存在安全漏洞,该漏洞源于interface_traduction_objets_pipelines.php在处理翻译请求时直接将id_parent参数连接到SQL WHERE子句,可能导致SQL注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A