Elcom CMS SQL Injection
Release date: 04/07/2019
Last update: 04/07/2019
Vendor site: https://www.elcom.com.au/
Product: Elcom CMS
Affected version(s): 10.0.6.21
Remediated version: 10.7
Severity Rating: Medium
Impact: Exposure of sensitive information
Attack vector: Remote without authentication
Details: Elcom CMS before 10.7 has SQL Injection via the EventSearchByState.aspx and EventSearchAdv.aspx page.
Recommendation: This vulnerability has been patched and tested in v10.7. Elcom is also able to work with any clients not ready for an upgrade to ensure that the vulnerability is mitigated.
Discovered by: David Chadwick from Content Security Pty. Ltd.