CVE-2017-20195 LUNAD3v AreaLoad request.php SQL Injection Vulnerability

Key Information 1. Vulnerability ID: - VDB-281987 - CVE-2017-20195 2. Vulnerability Name: - LUNAD3V AREALOAD UP TO 1A1103182ED63A06DDE63D1712F3262EDA19C3EC REQUEST.PHP PHONE SQL INJECTION 3. CVSS Meta Temp Score: - 5.3 4. Current Vulnerability Price: - $0-$5k 5. CTI Interest Score: - 1.26 6. Vulnerability Description: - A vulnerability has been discovered in LUNAD3v AreaLoad up to 1a1103182ed63a06ddee63d1712f3262eda19c3ec. It affects some unknown request.php file handling. Manipulation of the phone parameter with unknown input leads to an SQL injection vulnerability. The issue is described using CWE, resulting in CWE-89. The product constructs SQL commands using external influence input, but does not properly neutralize or fails to neutralize special characters that could alter the SQL commands sent to downstream components. This impacts confidentiality, integrity, and availability. 7. Disclosure Date: - June 1, 2017 8. Vulnerability Identification: - CVE-2017-20195 9. Exploit Difficulty: - Known to be easy to exploit 10. Technical Details: - Known, but no available exploit 11. Attack Technique: - T1505 (according to MITRE ATT&CK) 12. Search Method: - Vulnerable targets can be found by searching for inurl:request.php 13. Remediation: - Applying patch 264813c546db03989ac0fc365f2022bf65e3be2 will resolve this issue. The fix patch is ready for download and can be found on github.com. 14. Vulnerability Similarity: - VDB-37289 and VDB-82927 are very similar to this vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2017-20195 LUNAD3v AreaLoad request.php SQL Injection Vulnerability