SQL injection flaw reported in dingfanzu CMS

A critical severity vulnerability has been identified in dingfanzu CMS, tracked as CVE-2024-8302 (CVSS score 6.3). Dingfanzu is a Chinese content management system (CMS).

The vulnerability specifically affects the file /ajax/chpwd.php and allows remote attackers to execute arbitrary SQL commands by manipulating the username argument. The vulnerability impacts all versions of dingfanzu CMS up to and including 29d67d9044f6f93378e6eb6ff92272217ff7225c.

This SQL injection vulnerability could potentially lead to unauthorized access, data theft, or manipulation of the database, compromising the integrity and confidentiality of the affected systems.

As of now, there has been no response from the vendor regarding remediation efforts, leaving affected users at risk. To mitigate this vulnerability, organizations are advised to apply updates immediately as they become available from the vendor and if possible restrict access to the affected file (/ajax/chpwd.php).

Given the critical nature of this vulnerability and the lack of an official patch, it is crucial for organizations using dingfanzu CMS to take immediate action to protect their systems and data.