Arbitrary PHP Code Execution via SQL Injection in EmpireCMS 7.5

Arbitrary PHP Code Execution via SQL Injection in EmpireCMS 7.5

CVE-2018-19462 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

admin\db\DoSql.php in EmpireCMS through 7.5 allows remote attackers to execute arbitrary PHP code via SQL injection that uses a .php filename in a SELECT INTO OUTFILE statement to admin/admin.php.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.