An attacker can inject arbitrary SQL commands into the vulnerable website's database via the injected ant_plist SQL command.
An attacker can exploit this vulnerability to view or modify other users' data and do potentially malicious actions with user data.
Furthermore, it is also possible to view or modify the website administrator's data.
SEMCMS SHOP v 1.1 is also vulnerable to Remote Code Execution due to its failure to sanitize user-controlled input.
An attacker can exploit this vulnerability to take down the website and gain full access to it.
SEMCMS SHOP v 1.1 is also at risk of denial of service due to its failure to properly sanitize user-controlled input.
By injecting specially crafted data into the website's database, it is possible to crash the website and prevent it from functioning properly.
An attacker can exploit this vulnerability to generate a crash and prevent the website from working properly.
SEMCMS SHOP v 1.1 is at risk of being exploited by hackers due to its failure to require authentication.
SEMCMS SHOP v 1.1 does not require a password to be entered upon login.
SEMCMS SHOP v 1.1 is also at risk of being exploited due to its failure to properly restrict access to administrative functions.
SEMCMS SHOP v 1.1 does not have a login system in
Mitigation Strategies:
The following mitigation strategies were used to fix this vulnerability:
- Apply the patch provided by vendor to remediate the vulnerability.
- Enable Authentication for "admin" account.
Timeline
Published on: 10/28/2022 16:15:00 UTC
Last modified on: 10/28/2022 18:47:00 UTC