Miggo Logo
Miggo Vulnerability Database
CVE-2023-24780

CVE-2023-24780: SQL Injection in Funadmin

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-24780
GHSA ID
GHSA-7pmh-8qjj-4q36
EPSS Score
0.48004%
CWE
CWE-89
Published
3/8/2023
Updated
3/14/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
funadmin/funadmincomposer<= 3.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability report explicitly identifies the columns method in table.php as the injection point.
  2. The GitHub issue demonstrates raw SQL concatenation with the 'id' parameter via a SQLMap POC.
  3. PHP controller methods handling HTTP parameters without prepared statements are classic SQL injection vectors.
  4. No evidence of input validation/sanitization is mentioned in the provided code audit details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*un**min v*.*.* w*s *is*ov*r** to *ont*in * SQL inj**tion vuln*r**ility vi* t** i* p*r*m*t*r *t /**t***s*s/t**l*/*olumns.

Reasoning

*. T** vuln*r**ility r*port *xpli*itly i**nti*i*s t** *olumns m*t*o* in t**l*.p*p *s t** inj**tion point. *. T** *it*u* issu* **monstr*t*s r*w SQL *on**t*n*tion wit* t** 'i*' p*r*m*t*r vi* * SQLM*p PO*. *. P*P *ontroll*r m*t*o*s **n*lin* *TTP p*r*m*t