cvedb.io
CVE-2018-9247
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2018-04-04T00:29:00.277 · Last modified 2026-06-17T02:06:17.180

Summary

The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then using INTO OUTFILE with a .php filename.

Affected products

gxlcms — gxlcms_qy

Does this affect you?

Add your gear to cvedb and we'll alert you only when gxlcms ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.