Miggo Logo

CVE-2019-10766:
SQL Injection in usmanhalalit/pixie

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.55005%
Published
11/20/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
usmanhalalit/pixiecomposer< 1.0.31.0.3
usmanhalalit/pixiecomposer>= 2.0.0, < 2.0.22.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper sanitization in the limit() method's parameter handling. The commit diff shows explicit (int) casting was added to $statements['limit'] and $statements['offset'] in BaseAdapter.php's select method to fix SQL injection. Before patching, non-integer values (like SQL expressions) passed to limit() were directly embedded in SQL queries. The Snyk PoC demonstrates exploiting this by passing a subquery string to limit().

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pixi* v*rsions *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llow SQL Inj**tion in t** limit() *un*tion *u* to improp*r s*nitiz*tion.

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion in t** `limit()` m*t*o*'s p*r*m*t*r **n*lin*. T** *ommit *i** s*ows *xpli*it (int) **stin* w*s ***** to $st*t*m*nts['limit'] *n* $st*t*m*nts['o**s*t'] in `**s****pt*r.p*p`'s s*l**t m*t*o* to *ix SQL