Atom CMS SQL Injection Vulnerability in Admin Index Page

A SQL injection vulnerability has been identified in Atom CMS version 2.0. This issue allows remote attackers to execute time-based blind SQL injection attacks by injecting malicious SQL code into the 'id' parameter of the admin index page. The vulnerability arises from improper validation of parameters, enabling unauthorized manipulation of database queries.

Impact

Exploitation of this vulnerability allows for unauthenticated SQL injection, where attackers can execute arbitrary SQL commands, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, send a POST request to the admin index page with a crafted 'id' parameter that includes malicious SQL code. The injected SQL code can be designed to, for example, use the 'sleep' function to create a time-based blind SQL injection effect, demonstrating the vulnerability.

Remediation

Users are advised to update to Atom CMS version 2.1, which includes security patches for this vulnerability.