|
Description
|
|
Multiple vulnerabilities have been identified in e-Vision CMS, which could be exploited by remote attackers to execute arbitrary SQL queries or disclose the contents of arbitrary files.
The first issue is caused by an input validation error in the "admin/functions.php" script that does not validate the "adminlang" cookie parameter, which could be exploited by malicious users to include local files with the privileges of the web server.
The second vulnerability is caused by input validation errors in the "style.php" script that does not validate certain parameters (e.g. "template") when executing SQL queries, which could be exploited by malicious people to conduct SQL injection attacks.
The third issue is caused by an input validation error in the "admin/show_img.php" script that does not validate the "img" parameter before being passed as an argument to a "fread()" call, which could be exploited by attackers to download arbitrary files from a vulnerable web server.
|
