Miggo Logo

CVE-2023-24782: SQL Injection in Funadmin

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.22462%
Published
3/8/2023
Updated
3/14/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
funadmin/funadmincomposer<= 3.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability report explicitly identifies the edit method in Database.php as the location where unsanitized 'id' parameter input is concatenated into SQL queries. The GitHub issue #3 provides technical details showing SQL injection via this endpoint, and the CVE description confirms the attack vector through the id parameter at /databases/database/edit. The direct user input interpolation in SQL execution context matches the CWE-89 pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*un**min v*.*.* w*s *is*ov*r** to *ont*in * SQL inj**tion vuln*r**ility vi* t** i* p*r*m*t*r *t /**t***s*s/**t***s*/**it.

Reasoning

T** vuln*r**ility r*port *xpli*itly i**nti*i*s t** **it m*t*o* in **t***s*.p*p *s t** lo**tion w**r* uns*nitiz** 'i*' p*r*m*t*r input is *on**t*n*t** into SQL qu*ri*s. T** *it*u* issu* #* provi**s t***ni**l **t*ils s*owin* SQL inj**tion vi* t*is *n*p