CVE-2017-6065 Metalgenix CVE debrief

Who should care

GeniXCMS administrators, backend maintainers, and security teams responsible for deployments that expose authenticated administration functions. Any environment allowing non-fully-trusted users to reach backend menu controls should treat this as a priority.

Technical summary

The vulnerability is a CWE-89 SQL injection in the backend menus control code path. According to the CVE description, the vulnerable input is the order parameter in inc/lib/Control/Backend/menus.control.php. NVD lists the impact as CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a remote authenticated attacker could execute arbitrary SQL and potentially affect data confidentiality, integrity, and availability. NVD’s CPE data marks GeniXCMS versions through 1.0.1 as vulnerable, while the CVE description says through 1.0.2; that version-range difference should be treated cautiously until vendor guidance is confirmed.

Defensive priority

High. This is a remotely reachable authenticated SQL injection with full CIA impact in the scoring record, so exposed installations should be patched or isolated promptly.

Recommended defensive actions

• Apply the vendor fix or patch referenced by the linked GeniXCMS issue and upgrade to a version confirmed to be outside the vulnerable range.
• Treat versions covered by the NVD CPE range through 1.0.1, and the CVE description’s through 1.0.2 wording, as vulnerable until the discrepancy is resolved by vendor guidance.
• Restrict backend access to trusted administrative users only, enforce least privilege, and review who can reach menu-management functions.
• Inspect application and database logs for unusual SQL patterns or unexpected backend menu operations around the affected code path.
• Review the affected code to ensure the order parameter is validated against an allowlist and that SQL is built with parameterized queries rather than string concatenation.
• If suspicious activity is found, rotate database credentials and assess for unauthorized data access or modification.

Evidence notes

Source evidence comes from the official CVE/NVD records supplied in the corpus. The CVE description states a SQL injection in inc/lib/Control/Backend/menus.control.php affecting GeniXCMS through 1.0.2 and reachable via the order parameter. NVD lists CWE-89 and CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and its CPE metadata marks cpe:2.3:a:metalgenix:genixcms:*:*:*:*:*:*:*:* as vulnerable through 1.0.1. NVD also references GitHub issue #71 as an issue-tracking/patch/vendor reference. The vendor/product mapping in the supplied metadata is somewhat inconsistent, so version scope should be verified against vendor guidance before remediation planning.

Official resources