Miggo Logo
Miggo Vulnerability Database
CVE-2024-48229

CVE-2024-48229: SQL injection in funadmin

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-48229
GHSA ID
GHSA-h345-r48x-g68f
EPSS Score
0.23975%
CWE
CWE-89
Published
10/25/2024
Updated
10/28/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
funadmin/funadmincomposer<= 5.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability chain starts in Index.php's add() method, which receives attacker-controlled 'joinTable' input. This input is passed to CurdService's makeController() method, where it is directly interpolated into SQL statements without sanitization. Both functions are critical to the exploit: Index::add propagates tainted data, while CurdService::makeController executes unsafe SQL construction. The GitHub issue explicitly identifies these components, and the described behavior aligns with CWE-89 (raw user input in SQL).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*un**min *.*.* **s * SQL inj**tion vuln*r**ility in t** *ur* on* *li*k *omm*n* mo** plu*in.

Reasoning

T** vuln*r**ility ***in st*rts in `In**x.p*p`'s `***()` m*t*o*, w*i** r***iv*s *tt**k*r-*ontroll** 'joinT**l*' input. T*is input is p*ss** to `*ur*S*rvi**`'s `m*k**ontroll*r()` m*t*o*, w**r* it is *ir**tly int*rpol*t** into SQL st*t*m*nts wit*out s*n