Miggo Logo

CVE-2021-44567: SQL injection in francoisjacquet/rosariosis

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.82646%
Published
2/25/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
francoisjacquet/rosariosiscomposer< 7.6.17.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how PortalPollsVote() directly uses $poll_id (derived from $_POST['votes'] array keys) in SQL queries without proper sanitization. The foreach loop in PortalPollsNotes.fnc.php processes raw POST parameters, and the parameter keys are never passed through DBEscapeString sanitization that only acts on $_REQUEST values. This allows attackers to control the poll_id parameter in SQL context. The function signature and injection vector are explicitly described in the GitLab issue #308 reproduction steps and code analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n SQL Inj**tion vuln*r**ility *xits in Ros*rioSIS ***or* *.*.* vi* t** vot*s p*r*m*t*r in Pro*r*m*un*tions/Port*lPollsNot*s.*n*.p*p.

Reasoning

T** vuln*r**ility st*ms *rom *ow Port*lPollsVot*() *ir**tly us*s $poll_i* (**riv** *rom $_POST['vot*s'] *rr*y k*ys) in SQL qu*ri*s wit*out prop*r s*nitiz*tion. T** *or**** loop in Port*lPollsNot*s.*n*.p*p pro**ss*s r*w POST p*r*m*t*rs, *n* t** p*r*m*