CVE-2024-48229: SQL injection in funadmin
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.23975%
CWE
Published
10/25/2024
Updated
10/28/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| funadmin/funadmin | composer | <= 5.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability chain starts in Index.php's add() method, which receives attacker-controlled 'joinTable' input. This input is passed to CurdService's makeController() method, where it is directly interpolated into SQL statements without sanitization. Both functions are critical to the exploit: Index::add propagates tainted data, while CurdService::makeController executes unsafe SQL construction. The GitHub issue explicitly identifies these components, and the described behavior aligns with CWE-89 (raw user input in SQL).