VYPR
Critical severity9.8NVD Advisory· Published Apr 4, 2018· Updated Jun 17, 2026

CVE-2018-9247

CVE-2018-9247

Description

The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then using INTO OUTFILE with a .php filename.

Affected products

2
  • Gxlcms/Qyinferred2 versions
    = 1.0.0713+ 1 more
    • (no CPE)range: = 1.0.0713
    • (no CPE)range: =1.0.0713

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.