Miggo Logo

CVE-2012-4383: Contao core SQL Injection Vulnerability

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.4904%
Published
4/23/2022
Updated
4/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
contao/corecomposer< 2.11.42.11.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient input validation in the toggleSubpalette handler of executePostActions. The pre-patch code lacked checks for whether the user-controlled 'field' parameter was a valid selector field or allowed for the current user's permissions. This allowed attackers to inject arbitrary SQL through the field parameter, as demonstrated in the exploit example. The patch adds critical validation checks (including field allowlist verification and user permission checks) to prevent SQL injection, confirming the original vulnerability location.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ont*o *or* prior to *.**.* **s * SQL inj**tion vuln*r**ility in `*ont*o-*.**.*\syst*m\mo*ul*s\***k*n*\*j*x.p*p`

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt input v*li**tion in t** `to**l*Su*p*l*tt*` **n*l*r o* `*x**ut*Post**tions`. T** pr*-p*t** *o** l**k** ****ks *or w**t**r t** us*r-*ontroll** '*i*l*' p*r*m*t*r w*s * v*li* s*l**tor *i*l* or *llow** *or t** *ur