Miggo Logo

CVE-2024-48227: Logic flaw in Funadmin

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.66069%
CWE
-
Published
10/25/2024
Updated
10/29/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
funadmin/funadmincomposer<= 5.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) The Table.php delete action directly interpolates user-controlled 'id' into SQL without proper validation, as shown in the reproduction steps. 2) The getSystemTable blacklist in common.php fails to account for injection techniques, evidenced by the attacker bypassing restrictions using 'admin;'. Together, these allow unauthorized deletion of core system tables (e.g., fun_admin), causing DOS. The GitHub issue explicitly references these components and demonstrates exploitability through HTTP requests targeting these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*un**min *.*.* **s * lo*i**l *l*w in t** *ur* on* *li*k *omm*n* **l*tion *un*tion, w*i** **n r*sult in * **ni*l o* S*rvi** (*OS).

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** `T**l*.p*p` **l*t* **tion *ir**tly int*rpol*t*s us*r-*ontroll** 'i*' into SQL wit*out prop*r v*li**tion, *s s*own in t** r*pro*u*tion st*ps. *) T** `**tSyst*mT**l*` *l**klist in `*ommon.p*p` **ils t