Home

Description

PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information or perform time-based blind SQL injection attacks.

PUBLISHED Reserved 2025-12-20 | Published 2025-12-23 | Updated 2025-12-23 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

7.4.6
affected

Credits

str0xo DZ (Walid Ben) finder

References

www.exploit-db.com/exploits/51197 (ExploitDB-51197) exploit

www.sigb.net (Vendor Homepage) product

forge.sigb.net/redmine/projects/pmb/files (Software Download Repository) product

www.vulncheck.com/...ility-via-unsanitized-storage-parameter (VulnCheck Advisory: PMB 7.4.6 SQL Injection Vulnerability via Unsanitized Storage Parameter) third-party-advisory

cve.org (CVE-2023-53982)

nvd.nist.gov (CVE-2023-53982)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.