Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been patched in version 2.6.11.
The vulnerability consists of direct SQL command injection (SQL injection, CWE-89) through input data passed to article creation and update functions in the Emlog system. An attacker can craft a malicious query that will be executed directly by the database engine without proper validation or parameterization of input data. The attack is possible remotely, without authentication and without any user interaction.
An attacker can gain full control over the database — read, modify or delete stored data, which can lead to data theft, system destruction or complete compromise of the service's integrity.
Emlog must be updated immediately to version 2.6.11 or newer, in which the vulnerability has been patched. Details available in vendor references: https://github.com/emlog/emlog/security/advisories/GHSA-xxj8-fc63-j3gw
Emlog versions prior to 2.6.11 (open source website building system).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X