9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-44135

GHSA ID

GHSA-45hc-r4fj-qj89

EPSS Score

0.5185%

CWE

CWE-89

Published

4/2/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-44135

CVE-2021-44135:
SQL injection in pagekit/pagekit

Pagekit is a modular and lightweight CMS built with Symfony components and Vue.js. The configAction in SettingsController allow user to set the order of comments listing. The allowed options are ASC and DESC. That config then get concatenated directly to the SQL query. Due to the fact that there wasnt any sanitizion before saving that config, it can lead to the SQL Injection vulnerability.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-44135

GHSA ID

GHSA-45hc-r4fj-qj89

EPSS Score

0.5185%

CWE

CWE-89

Published

4/2/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pagekit/pagekit	composer	<= 1.0.18

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly states that the configAction in SettingsController handles comment order configuration which is unsafely concatenated into SQL queries. Though no code is shown, the advisory specifically identifies this controller action as the injection point where user input (ASC/DESC) is used without sanitization. The pattern matches classic SQL injection vulnerabilities where user input flows directly into SQL commands.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P***kit is * mo*ul*r *n* li**tw*i**t *MS *uilt wit* Sym*ony *ompon*nts *n* Vu*.js. T** *on*i***tion in S*ttin*s*ontroll*r *llow us*r to s*t t** or**r o* *omm*nts listin*. T** *llow** options *r* *S* *n* **S*. T**t *on*i* t**n **t *on**t*n*t** *ir**tl

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s t**t t** *on*i***tion in S*ttin*s*ontroll*r **n*l*s *omm*nt or**r *on*i*ur*tion w*i** is uns***ly *on**t*n*t** into SQL qu*ri*s. T*ou** no *o** is s*own, t** **visory sp**i*i**lly i**nti*i*s t*is *ontro

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-44135: SQL injection in pagekit/pagekit

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-44135:
SQL injection in pagekit/pagekit

Vulnerability Intelligence
Miggo AI