漏洞类别:CGI
漏洞等级: 
漏洞信息
WBCE is an easy to use content management system basing on PHP/MySQL. The open source CMS is free for personal and commercial use.
WBCE CMS contains the following vulnerabilities:
CVE-2017-2118: Cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2017-2119: Directory traversal vulnerability allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2017-2120: SQL injection vulnerability allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors.
Affected Versions:
WBCE CMS 1.1.10 and prior
QID Detection Logic:
This unauthenticated detection depends on the BlindElephant engine to detect the version of WBCE CMS installation as active attacks could potentially harm live installations.
漏洞危害
Depending on the vulnerability being exploited, a remote attacker could execute SQL code, traverse directories or conduct cross-site scripting attacks against a targeted server.
解决方案
Customers are advised to install WBCE CMS 1.1.11 or later versions to remediate these vulnerabilities.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论