A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24913
Reference (s):
- FULLDISC:20210312 [AIT-SA-20210215-02] CVE-2020-24913: QCubed SQL Injection
- URL: http://seclists.org/fulldisclosure/2021/Mar/29
- FULLDISC:20210312 [AIT-SA-20210215-03] CVE-2020-24912: QCube Cross-Site-Scripting
- URL: http://seclists.org/fulldisclosure/2021/Mar/30
- http://packetstormsecurity.com/files/161759/QCubed-3.1.1-SQL-Injection.html