pearProjectApi SQL Injection Vulnerability in project.php
Vulnerability
A SQL injection vulnerability has been identified in pearProjectApi version 2.8.10. The issue arises in the project.php file, specifically within the selfList method. The vulnerability is triggered by the organizationCode parameter, which is improperly sanitized before being used in a SQL query. This allows attackers to manipulate the SQL statement and execute arbitrary SQL commands, potentially leading to unauthorized data access.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a POST request to the index.php/project/project/selfList endpoint. Include the organizationCode parameter with a crafted value that exploits the SQL injection vulnerability, and the memberCode parameter with a valid value that exists in the database. The crafted organizationCode value should be designed to manipulate the SQL query execution, such as by using SQL injection techniques to extract database information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.