CVE-2017-12585

moderate-risk
Published 2017-08-06

SLiMS 8 Akasia through 8.3.1 has SQL injection in admin/AJAX_lookup_handler.php (tableName and tableFields parameters), admin/AJAX_check_id.php, and admin/AJAX_vocabolary_control.php. It can be exploited by remote authenticated librarian users.

Do I need to act?

-
0.51% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (5)

Akasia
Akasia
Akasia
Akasia
Akasia

Affected Vendors

Slims

References (2)

Exploit https://github.com/slims/slims8_akasia/issues/47
Exploit https://github.com/slims/slims8_akasia/issues/47
44
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 2/34 · Minimal
Exposure 12/34 · Low