Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-ykdy-w9mz-fuer
SummaryInstantCMS is a free and open source content management system. A SQL injection vulnerability affects instantcms v2.16.2 in which an attacker with administrative privileges can cause the application to execute unauthorized SQL code. The vulnerability exists in index_chart_data action, which receives an input from user and passes it unsanitized to the core model `filterFunc` function that further embeds this data in an SQL statement. This allows attackers to inject unwanted SQL code into the statement. The `period` should be escaped before inserting it in the query. As of time of publication, a patched version is not available.
Aliases
0
alias CVE-2024-31212
Fixed_packages
Affected_packages
References
0
reference_url https://user-images.githubusercontent.com/109034767/300806111-a33d9548-d99f-4034-bef3-fbd7fa62c37f.png
reference_id 300806111-a33d9548-d99f-4034-bef3-fbd7fa62c37f.png
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-16T00:00:40Z/
url https://user-images.githubusercontent.com/109034767/300806111-a33d9548-d99f-4034-bef3-fbd7fa62c37f.png
1
reference_url https://github.com/instantsoft/icms2/security/advisories/GHSA-qx95-w566-73fw
reference_id GHSA-qx95-w566-73fw
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-16T00:00:40Z/
url https://github.com/instantsoft/icms2/security/advisories/GHSA-qx95-w566-73fw
2
reference_url https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/controllers/admin/actions/index_chart_data.php#L190
reference_id index_chart_data.php#L190
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-16T00:00:40Z/
url https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/controllers/admin/actions/index_chart_data.php#L190
3
reference_url https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/core/model.php#L744
reference_id model.php#L744
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-16T00:00:40Z/
url https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/core/model.php#L744
Weaknesses
0
cwe_id 20
name Improper Input Validation
description The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
1
cwe_id 89
name Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
description The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Exploits
Severity_range_score6.7 - 6.7
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-ykdy-w9mz-fuer