Critical SQL Injection Vulnerability in REDAXO 5.6.3 and Earlier Versions

Critical SQL Injection Vulnerability in REDAXO 5.6.3 and Earlier Versions

CVE-2018-17831 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

In REDAXO before 5.6.3, a critical SQL injection vulnerability has been discovered in the rex_list class because of the prepareQuery function in core/lib/list.php, via the index.php?page=users/users sort parameter. Endangered was the backend and the frontend only if rex_list were used.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.