Saurus CMS Community Edition since commit d886e5b0 (2010-04-23) is vulnerable to a SQL Injection vulnerability in the `prepareSearchQuery()` method in `FulltextSearch.class.php`. The application directly concatenates user-supplied input (`$search_word`) into SQL queries without sanitization, allowing attackers to manipulate the SQL logic and potentially extract sensitive information or escalate their privileges.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Saurus |
|
No data.
No data.
References
History
Tue, 05 Aug 2025 12:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Saurus
Saurus saurus Cms |
|
| Vendors & Products |
Saurus
Saurus saurus Cms |
Fri, 01 Aug 2025 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-89 | |
| Metrics |
cvssV3_1
|
Fri, 01 Aug 2025 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Saurus CMS Community Edition since commit d886e5b0 (2010-04-23) is vulnerable to a SQL Injection vulnerability in the `prepareSearchQuery()` method in `FulltextSearch.class.php`. The application directly concatenates user-supplied input (`$search_word`) into SQL queries without sanitization, allowing attackers to manipulate the SQL logic and potentially extract sensitive information or escalate their privileges. | |
| References |
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2025-08-01T00:00:00.000Z
Updated: 2025-08-01T17:30:08.528Z
Reserved: 2025-06-16T00:00:00.000Z
Link: CVE-2025-52390
Vulnrichment
Updated: 2025-08-01T17:27:53.960Z
NVD
Status : Awaiting Analysis
Published: 2025-08-01T16:15:42.203
Modified: 2025-08-04T15:06:15.833
Link: CVE-2025-52390
Redhat
No data.