CVE-2022-38541 Archery v1.8.3 to v1.8.5 had multiple SQL injection vulnerabilities in the my2sql interface.
An attacker can exploit these vulnerabilities to inject arbitrary SQL statements into the database and take advantage of database ACLs that permit only certain actions to be taken.
Archery v1.8.0 to v1.8.5 was discovered to contain multiple cross-site scripting vulnerabilities in the Statistics interface. An attacker can exploit these vulnerabilities to inject arbitrary web script or HTML via the start_time and stop_time parameters in the Statistics interface.
Archery v1.8.0 to v1.8.5 was discovered to contain multiple SQL injection vulnerabilities via the start_time and stop_time parameters in the Statistics interface. An attacker can exploit these vulnerabilities to inject arbitrary SQL into the database and take advantage of database ACLs that permit only certain actions to be taken.
Archery v1.7.0 to v1.8.5 was discovered to contain multiple cross-site scripting vulnerabilities in the Statistics interface. An attacker can exploit these vulnerabilities to inject arbitrary web script or HTML via the start_time and stop_time parameters in the Statistics interface.
Archery v1.7.0 to v1.8.5 was discovered to contain multiple SQL injection vulnerabilities via the start_time and stop_time parameters in the Statistics interface. An attacker can exploit these vulnerabilities to inject arbitrary SQL into the database and take advantage of database ACLs that permit only certain actions to be taken.
Archery v1.6.2 to v
The Initial Discovery
The initial discovery of these vulnerabilities in Archery were made on July 29, 2018. The CVEs assigned to the issues are CVE-2022-38541 for multiple cross-site scripting vulnerabilities in the Statistics interface, and CVE-2022-38552 for a SQL injection vulnerability in the same interface. These vulnerabilities have been fixed in Archery v1.7.0 to v1.8.5, which was released on August 28, 2018.
Archery Authentication and Authorization
Archery v1.6.2 to v1.7.0 was discovered to contain multiple cross-site scripting vulnerabilities in the Statistics interface. An attacker can exploit these vulnerabilities to inject arbitrary web script or HTML via the start_time and stop_time parameters in the Statistics interface.
Archery v1.6.2 to v1.7.0 was discovered to contain multiple SQL injection vulnerabilities via the start_time and stop_time parameters in the Statistics interface. An attacker can exploit these vulnerabilities to inject arbitrary SQL into the database and take advantage of database ACLs that permit only certain actions to be taken.
Archery v1.6 to v1.7 was discovered to contain multiple cross-site scripting vulnerabilities in the Statistics interface. An attacker can exploit these vulnerabilities to inject arbitrary web script or HTML via the start_time and stop_time parameters in the Statistics interface.
Archery v1.6 to v1.7 was discovered to contain multiple SQL injection vulnerabilities via the start_time and stop_time parameters in the Statistics interface, which can be exploited for arbitrary SQL injection with database privileges enabled by default on many installations of Archery Database Server software versions from 1 . 6 . 0 . 0 - 1 . 7 . 4 .
Archery Overview
Archery is a flexible, scalable content management system created by Archery Software. It integrates seamlessly with WordPress and includes a variety of powerful features to help you handle your WordPress website’s content.
The Archery CMS is an open-source platform that offers several benefits to its users including the following:
Timeline
Published on: 09/13/2022 15:15:00 UTC
Last modified on: 09/14/2022 22:25:00 UTC