<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Elcom CMS SQL Injection

Posted by David Chadwick - 18 July, 2019

header-picture

Elcom CMS SQL Injection

Release date: 04/07/2019

Last update: 04/07/2019

Vendor: Elcom

Vendor site: https://www.elcom.com.au/

Product: Elcom CMS

Affected version(s): 10.0.6.21

Remediated version: 10.7

Severity Rating: Medium

Impact: Exposure of sensitive information

Attack vector: Remote without authentication

CVE: CVE-2019-12946

 

Details: Elcom CMS before 10.7 has SQL Injection via the EventSearchByState.aspx and EventSearchAdv.aspx page.

Recommendation: This vulnerability has been patched and tested in v10.7. Elcom is also able to work with any clients not ready for an upgrade to ensure that the vulnerability is mitigated.

Discovered by: David Chadwick from Content Security Pty. Ltd.


Recent Posts

Security Advisory: Footy Tipping Software Whitelisting Bypass

read more

Security Advisory: Footy Tipping Software Cross-site Scripting

read more

Three Types of Security Threats and How to Guard Against Them

read more