We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
An authenticated attacker with the user/role "Poweruser" can perform an SQL injection by accessing the /class/template_io.php file and supplying malicious GET parameters. The "templates" parameter is vulnerable against blind boolean-based SQL injection attacks. SQL syntax must be injected into the JSON syntax of the templates parameter.
Reserved 2024-10-25 | Published 2024-12-12 | Updated 2024-12-13 | Assigner SEC-VLabCWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Daniel Hirschberger (SEC Consult Vulnerability Lab)
Tobias Niemann (SEC Consult Vulnerability Lab)
r.sec-consult.com/imageaccess
www.imageaccess.de/?page=SupportPortal&lang=en
Support options