|
Description
|
|
Multiple vulnerabilities have been identified in LoveCMS, which could be exploited by remote attackers to execute SQL commands or disclose the contents of arbitrary files.
The first issue is due to an input validation error in the "index.php" script that does not validate the "load" parameter, which could be exploited by malicious users to include local files with the privileges of the web server.
The second issue is due to an input validation error in the "modules/content/index.php" script that does not validate the "id" parameter when executing SQL queries, which could be exploited by malicious people to conduct SQL injection or cross site scripting attacks.
Note : A remote file inclusion issue has also been reported in the "install/index.php" script when processing the "step" parameter. However, the affected script is usually deleted by administrators after the installation process.
|
