Miggo Logo
Miggo Vulnerability Database
CVE-2023-31717

CVE-2023-31717: FUXA SQL Injection vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-31717
GHSA ID
GHSA-v9q5-9crp-92f9
EPSS Score
0.95927%
CWE
CWE-89
Published
9/22/2023
Updated
11/7/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
fuxa-servernpm<= 1.1.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized user input being used in SQL queries. The exploit demonstrates SQLi via the 'id' parameter in POST requests, indicating: 1) An endpoint accepts JSON payloads with 'id' 2) This input is directly concatenated into SQL statements 3) No prepared statements or input sanitization exists. While exact code isn't visible, the exploit's payload structure and vulnerability type strongly suggest insecure query construction in API handlers. Node.js SQL injection patterns typically involve string concatenation with user input in db.query() calls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* SQL Inj**tion *tt**k in *UX* <= *.*.** *llows *x*iltr*tion o* *on*i**nti*l in*orm*tion *rom t** **t***s*.

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us*r input **in* us** in SQL qu*ri*s. T** *xploit **monstr*t*s SQLi vi* t** 'i*' p*r*m*t*r in POST r*qu*sts, in*i**tin*: *) *n *n*point ****pts JSON p*ylo**s wit* 'i*' *) T*is input is *ir**tly *on**t*n*t** in