A critical SQL injection vulnerability in NoviSmart CMS allows remote attackers to gain unauthorized access to the underlying database, potentially leading to a complete data breach.

This is an SQL injection vulnerability where the application fails to properly sanitize input from the Referer HTTP header. A remote attacker can inject malicious SQL code through this header to manipulate database queries without requiring prior authentication.

A successful SQL injection attack can result in the total compromise of the CMS database, including the theft of user credentials, sensitive corporate content, and customer data. The CVSS score of 8.2 underscores the high risk, as it allows for unauthorized data exfiltration and potential administrative takeover of the website.

Immediate Action: Apply the vendor-provided security patches immediately. If a patch is unavailable, the affected code must be manually updated to use parameterized queries.

Proactive Monitoring: Enable comprehensive database query logging and monitor for unusual syntax or high volumes of errors associated with the Referer header.

Compensating Controls: Deploy or configure a Web Application Firewall (WAF) to inspect and block malicious SQL patterns specifically within the HTTP Referer header field.

Public Exploit Available: false

The ability to execute arbitrary SQL queries remotely makes this a high-priority threat. Organizations must verify their NoviSmart CMS version and apply all available security updates immediately to prevent catastrophic data loss.