<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Elcom CMS SQL Injection

Posted by David Chadwick - 18 July, 2019

header-picture

Elcom CMS SQL Injection

Release date: 04/07/2019

Last update: 04/07/2019

Vendor: Elcom

Vendor site: https://www.elcom.com.au/

Product: Elcom CMS

Affected version(s): 10.0.6.21

Remediated version: 10.7

Severity Rating: Medium

Impact: Exposure of sensitive information

Attack vector: Remote without authentication

CVE: CVE-2019-12946

 

Details: Elcom CMS before 10.7 has SQL Injection via the EventSearchByState.aspx and EventSearchAdv.aspx page.

Recommendation: This vulnerability has been patched and tested in v10.7. Elcom is also able to work with any clients not ready for an upgrade to ensure that the vulnerability is mitigated.

Discovered by: David Chadwick from Content Security Pty. Ltd.


Recent Posts

CPS 234: An Overview of What You Need to Know

read more

Security Advisory: Redactor Unrestricted File Upload

read more

Security Advisory: MapControl SQL Injection

read more