Miggo Logo
Miggo Vulnerability Database
CVE-2021-4262

CVE-2021-4262: laravel-jqgrid vulnerable to SQL Injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-4262
GHSA ID
GHSA-3fhj-wpvj-x5w8
EPSS Score
0.13316%
CWE
CWE-89
Published
12/19/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mgallegos/laravel-jqgridcomposer<= 1.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the pre-patch implementation that used orderByRaw($orderByRaw) with raw user input. The $orderByRaw parameter was constructed from request parameters (sidx/sord) without proper validation. The patch replaced orderByRaw with parameterized orderBy() calls after splitting and validating components, confirming the original raw SQL usage was the injection vector. The function's direct handling of user input in SQL construction makes it clearly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility *l*ssi*i** *s *riti**l w*s *oun* in l*r*v*l-jq*ri*. *****t** *y t*is vuln*r**ility is t** *un*tion **tRows o* t** *il* sr*/M**ll**os/L*r*v*lJq*ri*/R*positori*s/*loqu*ntR*pository**str**t.p*p. T** m*nipul*tion l***s to sql inj**tion. T

Reasoning

T** vuln*r**ility st*ms *rom t** pr*-p*t** impl*m*nt*tion t**t us** `or**r*yR*w`(`$or**r*yR*w`) wit* r*w us*r input. T** `$or**r*yR*w` p*r*m*t*r w*s *onstru*t** *rom r*qu*st p*r*m*t*rs (`si*x/sor*`) wit*out prop*r v*li**tion. T** p*t** r*pl**** `or**