CVE-2022-43278 The Canteen Management System v1.0 had a SQL injection vulnerability in the categoriesId parameter of /php_action/fetchSelectedCategories.php.

An attacker can exploit this to execute arbitrary SQL commands with root privileges. Reportedly, the vendor had fixed the issue in version 1.1.1, released on August 7, 2018.

1. Plexus CMS/Pinnacle CMS

Another critical CMS that has been under fire for its lack of critical patches is Plexus/Pinnacle CMS. The arrary of flaws found in this CMS is overwhelming. However, one of the most critical vulnerabilities discovered in Plexus/Pinnacle CMS is the SQL injection flaw at any of the following locations:

/admin/settings.php

/admin/add.php

/admin/search.php

/admin/login.php

/admin/editProfile.php

/admin/profile.php

/admin/editGroup.php

/admin/editSubGroup.php

/admin/editSubCategory.php

/admin/editRelatedCategory.php

/admin/editRelatedCategory.php

/Admin/content.php

/Admin/editAll.php

/Admin/editAll.php

/Admin/addAdmin.php

/Admin/deleteAdmin.php

/Admin/deleteAdmin.php

/Admin/deleteAdmin.php

/Admin/deleteAdmin.php

/Admin/deleteAdmin.php

/Admin/deleteAdmin.php

Apache Struts

A flaw in the Apache Struts library has been exploited by attackers to execute arbitrary commands as root on webservers.

CVE-2018-11776

Timeline

Published on: 11/09/2022 16:15:00 UTC
Last modified on: 11/09/2022 17:07:00 UTC

References

• https://github.com/HuahuaDaren/bug_report/blob/main/vendors/mayuri_k/canteen-management-system/SQLi-1.md
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43278