Miggo Logo

CVE-2023-47438: SQL Injection vulnerability in Reportico Till

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.26762%
Published
3/28/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
reportico-web/reporticocomposer<= 8.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests through the 'project' parameter manipulation leading to SQL errors. This indicates: 1) Direct interpolation of user input in SQL queries 2) Lack of prepared statements/parameterization 3) Error messages revealing database structure. The most logical location would be in project loading logic where the 'project' parameter is used to query project configurations from the database. The high confidence comes from the clear attack pattern (parameter tampering causing SQL errors) and the CWE-89 classification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

SQL Inj**tion vuln*r**ility in R*porti*o Till *.*.* *llows *tt**k*rs to o*t*in s*nsitiv* in*orm*tion or ot**r syst*m in*orm*tion vi* t** proj**t p*r*m*t*r.

Reasoning

T** vuln*r**ility m*ni**sts t*rou** t** 'proj**t' p*r*m*t*r m*nipul*tion l***in* to SQL *rrors. T*is in*i**t*s: *) *ir**t int*rpol*tion o* us*r input in SQL qu*ri*s *) L**k o* pr*p*r** st*t*m*nts/p*r*m*t*riz*tion *) *rror m*ss***s r*v**lin* **t***s*