CVE-2020-7356 — CRITICAL (10.0)

Vulnerability Description

CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and execute SYSTEM commands.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Cayintech	Xpost	1.0

Related Weaknesses (CWE)

CWE-89

References

https://github.com/rapid7/metasploit-framework/pull/13607PatchThird Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.phpExploitThird Party Advisory
https://github.com/rapid7/metasploit-framework/pull/13607PatchThird Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.phpExploitThird Party Advisory

FAQ

What is CVE-2020-7356?

CVE-2020-7356 is a vulnerability with a CVSS score of 10.0 (CRITICAL). CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being retu...

How severe is CVE-2020-7356?

CVE-2020-7356 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-7356?

Check the references section above for vendor advisories and patch information. Affected products include: Cayintech Xpost.