Primary

Context

FoxCMS SQL Injection Vulnerability in Download Controller

Vulnerability

A critical SQL injection vulnerability has been identified in FoxCMS versions through 1.2.5. The issue resides in the 'batchCope' function of 'app/admin/controller/Download.php', where improper handling of the 'ids' argument allows for SQL injection. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the 'app/admin/controller/Download.php' file with manipulated 'ids' parameters. This can be done by using a SQL injection payload that exploits the application's SQL query handling. Vulnerable targets can be found using Google Hacking by searching for 'inurl:app/admin/controller/Download.php'.

Added: Jun 15, 2025, 11:18 PM

Updated: Jun 15, 2025, 11:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FoxCMS SQL Injection Vulnerability in Download Controller

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating