Critical severity9.8NVD Advisory· Published Apr 4, 2018· Updated Jun 17, 2026
CVE-2018-9247
CVE-2018-9247
Description
The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then using INTO OUTFILE with a .php filename.
Affected products
2Patches
Vulnerability mechanics
References
1- www.atksec.com/cve/GxlcmsQY-v1.0.0713-getshell/index.htmlnvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.