CVE-2021-42325: Froxlor SQL injection vulnerability
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.89109%
CWE
Published
5/24/2022
Updated
4/25/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
froxlor/froxlor | composer | <= 0.10.29.1 | 0.10.30 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the createDatabase method constructing SQL queries through string concatenation with user-supplied database names. The original code used Database::query("CREATE DATABASE
" . $dbname . "")
which allows SQL injection. The patch replaced this with prepared statements using :dbname parameter binding. The exploit demonstrates this vulnerability by injecting SQL through the custom_suffix parameter when creating databases. The combination of direct user input interpolation in SQL, CWE-89 classification, and the explicit patch moving to prepared statements confirms this function as the vulnerable entry point.