-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHPMiggo AIRoot Cause AnalysisThe analysis is based on the provided commit 11107d6d6e5160b62e05dff8a3a2678cf0e3a426. This commit modifies the pg_insert_id function within the drivers/adodb-postgres64.inc.php file. The patch clearly shows that the original code directly concatenated user-supplied $tablename and $fieldname into a SQL query string to fetch last_value from a sequence. This lack of sanitization is a classic SQL injection vulnerability. The fix introduces the use of pg_escape_identifier to sanitize the constructed sequence name before it's used in the query. The function is identified as ADODB_postgres64::pg_insert_id, assuming the common ADOdb naming convention where the class name matches the driver file name (adodb-postgres64.inc.php). The vulnerability description mentions that other PostgreSQL drivers (postgres7, postgres8, postgres9) are also affected, implying the same pg_insert_id method with similar vulnerable code likely exists in their respective driver files (e.g., ADODB_postgres7::pg_insert_id). However, as per the instruction to focus on the provided patch, only the function from adodb-postgres64.inc.php is listed with high confidence based on the direct evidence from the commit patch.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| adodb/adodb-php | composer | <= 5.22.8 | 5.22.9 |