Miggo Logo
Miggo Vulnerability Database
CVE-2021-44427

CVE-2021-44427: SQL Injection in rosariosis

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-44427
GHSA ID
GHSA-wf5p-f5xr-c4jj
EPSS Score
0.99297%
CWE
CWE-89
Published
12/2/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
francoisjacquet/rosariosiscomposer< 8.1.18.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized 'syear' parameter handling in Side.php, which flows through UserSyear() to GetCurrentMP(). The patch moved AJAX handling to a sanitized $_REQUEST approach, but prior to 8.1.1, GetCurrentMP() in GetMP.php directly incorporated user-controlled 'syear' into SQL queries via UserSyear() from Current.php. The GitLab issue #328 analysis confirms this injection occurs in the SQL query at GetMP.php lines 411-416 using UserSyear(), which was populated from unauthenticated user input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n un*ut**nti**t** SQL Inj**tion vuln*r**ility in Ros*rio Stu**nt In*orm*tion Syst*m (*k* ros*riosis) ***or* *.*.* *llows r*mot* *tt**k*rs to *x**ut* Post*r*SQL st*t*m*nts (*.*., S*L**T, INS*RT, UP**T*, *n* **L*T*) t*rou** /Si**.p*p vi* t** sy**r p*r

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** 'sy**r' p*r*m*t*r **n*lin* in `Si**.p*p`, w*i** *lows t*rou** `Us*rSy**r()` to `**t*urr*ntMP()`. T** p*t** mov** *J*X **n*lin* to * s*nitiz** `$_R*QU*ST` *ppro***, *ut prior to *.*.*, `**t*urr*ntMP()` in `**tM