Login Sign Up

CVE-2017-11354

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2017-11354 is a critical SQL injection vulnerability in Fiyo CMS v2.0.7 that allows attackers to execute arbitrary SQL commands through the name parameter when editing or adding tag names. This affects all users running the vulnerable version of Fiyo CMS, potentially compromising the entire database and application.

💻 Affected Systems

Products:
  • Fiyo CMS
Versions: v2.0.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to the dapur (admin) interface, but the vulnerability exists in default installation.

📦 What is this software?

Fiyo Cms by Fiyo

View all CVEs affecting Fiyo Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Database information disclosure, privilege escalation, and unauthorized data modification.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH - Web CMS systems are typically internet-facing and directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal systems could still be exploited by internal threats or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication to access the admin interface, but SQL injection payloads are simple and well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.0.8 or later

Vendor Advisory: https://github.com/FiyoCMS/FiyoCMS/issues/4

Restart Required: No

Instructions:

1. Backup your database and files. 2. Download the latest version from the official repository. 3. Replace vulnerable files with patched versions. 4. Verify the fix by testing the tag editing functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the name parameter before processing.

Modify dapur/apps/app_article/sys_article.php to validate/sanitize user input

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns.

Add WAF rule to detect and block SQL injection attempts in POST parameters

🧯 If You Can't Patch

  • Restrict access to the dapur/admin interface to trusted IP addresses only.
  • Implement database user with minimal privileges for the application.

🔍 How to Verify

Check if Vulnerable:

Check if running Fiyo CMS v2.0.7 and test the tag editing functionality with SQL injection payloads.

Check Version:

Check the version in the CMS admin panel or examine the application files for version markers.

Verify Fix Applied:

Test the tag editing functionality with SQL injection payloads after patching to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts to admin interface
  • Suspicious POST requests to sys_article.php

Network Indicators:

  • SQL injection patterns in HTTP POST parameters
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="*sys_article.php*" AND (param="*name*" AND value="*' OR *")

📊 Metadata

CVE ID: CVE-2017-11354
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: July 17, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-11354, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)