SQL injection vulnerability in Moxa SoftCMS before 1.5 allows remote attackers to execute arbitrary SQL commands via unspecified fields.
Vulnerabilidad de inyección SQL en Moxa SoftCMS en versiones anteriores a 1.5 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de campos no especificados.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Moxa SoftCMS. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the getcaminfo.asp script. When parsing the VWID element, the process fails to properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute arbitrary code in the context of the database access process, which runs as Administrator.
