Miggo Logo

CVE-2020-21809: NukeViet SQL Injection vulnerability

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.75607%
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
nukeviet/nukevietcomposer>= 4.0, < 4.0.294.0.29
nukeviet/nukevietcomposer>= 4.1, < 4.1.024.1.02
nukeviet/nukevietcomposer>= 4.2, < 4.2.014.2.01
nukeviet/nukevietcomposer= 4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized user input being directly used in SQL queries. In detail.php, the listid parameter was split into an array but not validated as integers, enabling injection through crafted listid values. In search_result.php, group_price parameters were used to construct BETWEEN clauses without proper numeric validation. The commit diff shows both were fixed by enforcing integer conversion via array_map('intval'), confirming the lack of input sanitization was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

SQL Inj**tion vuln*r**ility in Nuk*Vi*t *MS mo*ul* S*ops *.*.** *n* *.* vi* t** (*) listi* p*r*m*t*r in **t*il.p*p *n* t** (*) *roup_pri** or *roupi* p*r*m*t*rs in s**r**_r*sult.p*p. ### *ix Impl*m*nt*tion: *ownlo** t** up**t* p**k*** *orr*spon*in*

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us*r input **in* *ir**tly us** in SQL qu*ri*s. In **t*il.p*p, t** listi* p*r*m*t*r w*s split into *n *rr*y *ut not v*li**t** *s int***rs, *n**lin* inj**tion t*rou** *r**t** listi* v*lu*s. In s**r**_r*sult.p*p,