[Security] Vulnerability:SQL injection  vulnerability in the import functionality

# Description
Vvveb CMS version 1.0.7.3 contains a critical SQL injection 
vulnerability in the import functionality  
An authenticated administrator can upload a .sql file, leading to SQL injection 

# Poc

1.Login to the admin panel.
2.Go to Tools -> Import.
![](https://cdn.jsdelivr.net/gh/Huu1j/Huuj_img@main/img/202510111034193.png)
3.Create a file named test.sql with the following content:
```
SELECT EXTRACTVALUE(1, CONCAT('~', (SELECT password FROM admin LIMIT 1)));
```
![](https://cdn.jsdelivr.net/gh/Huu1j/Huuj_img@main/img/202510111032202.png)
4.Upload the file to trigger an error-based SQL injection.
![](https://cdn.jsdelivr.net/gh/Huu1j/Huuj_img@main/img/202510111027850.png)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[Security] Vulnerability:SQL injection vulnerability in the import functionality #332

Description

Poc

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

[Security] Vulnerability:SQL injection vulnerability in the import functionality #332

Description

Description

Poc

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions