Last active
November 16, 2019 12:40
-
-
Save shiham101/d1de44d1dcf2c33d401ef2f8cbb04f9f to your computer and use it in GitHub Desktop.
CVE-2019-13957
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
> [Suggested description] | |
> In Umbraco custom Backoffice API Controller , there is | |
> SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName parameter. | |
> | |
> ------------------------------------------ | |
> | |
> [Vulnerability Type] | |
> SQL Injection | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> umbraco custom Backoffice API Controller | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> umbraco backoffice custom Backoffice API Controller | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> https://www.example.com/umbraco/backoffice/PageWApprove/PageWApproveApi/GetInpectSearch?startdate=2019-05-07&enddate=2019-06-06&userName=chtpt&nodeName='%20waitfor%20delay'0%3a0%3a20'-- | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Remote | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Code execution] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://our.umbraco.com/download/releases/738/ | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> CHT Security/hans |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is, but it is not really the responsibility of neither us or the CMS documentation to educate developers in best practices on standard framework/code topics and skills that any developer should possess. Our documentation will contain information related to Umbraco and the APIs, extensions and features we make available - it is not supposed to serve directly as an educational resource for developers to learn to write better code. There's much better resources available for you if you have that need.