CVE-2020-21808
Description
SQL Injection vulnerability in NukeViet CMS 4.0.10 - 4.3.07 via:the topicsid parameter in modules/news/admin/addtotopics.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in NukeViet CMS 4.0.10-4.3.07 via topicsid parameter in addtotopics.php allows authenticated admin users to execute arbitrary SQL.
Vulnerability
A SQL injection vulnerability exists in NukeViet CMS versions 4.0.10 through 4.3.07. The flaw is located in the file modules/news/admin/addtotopics.php, where the topicsid parameter is not properly sanitized before being used in SQL queries [1][4]. This allows an attacker to inject malicious SQL code.
Exploitation
To exploit this vulnerability, an attacker must have administrator-level access to the news module [4]. The attacker can manipulate the topicsid parameter in a request to addtotopics.php, injecting arbitrary SQL statements [1]. No user interaction other than the administrator performing a legitimate action is required.
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized disclosure, modification, or deletion of sensitive data, potentially compromising the entire CMS installation [1]. The impact is limited to the privileges of the database user, which typically has full access.
Mitigation
The vulnerability is fixed in NukeViet CMS version 4.3.08, as noted in the changelog [3]. For earlier versions (4.0, 4.1, 4.2), specific patches are available from the vendor's website [4]. Administrators are strongly advised to update to the latest version or apply the appropriate patch for their release.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nukeviet/nukevietPackagist | >= 4.0.10, < 4.3.08 | 4.3.08 |
Affected products
2- NukeViet/NukeViet CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-84gf-rw24-pfqgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-21808ghsaADVISORY
- github.com/nukeviet/nukeviet/blob/4.3.08/CHANGELOG.txtghsax_refsource_MISCWEB
- nukeviet.vn/vi/news/Tin-an-ninh/huong-dan-fix-loi-bao-mat-nukeviet-4-va-module-shops-612.htmlghsax_refsource_MISCWEB
- whitehub.net/submissions/1516ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.