pearProjectApi SQL Injection Vulnerability in project.php
Vulnerability
A SQL injection vulnerability has been identified in pearProjectApi version 2.8.10. The issue arises in the project.php file, specifically within the getLogBySelfProject method. When the projectCode parameter is provided, it is directly inserted into the SQL query without proper sanitization, allowing attackers to manipulate the SQL statement and execute arbitrary SQL commands.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a POST request to the /index.php/project/project/getLogBySelfProject endpoint. Include the projectCode parameter with a crafted payload that closes the original SQL statement and injects additional SQL commands. The injection can be verified by, for example, using a payload that extracts database user information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.