Primary

Context

JoeyBling Bootplus SQL Injection Vulnerability in Admin Menu List

Vulnerability

A critical SQL injection vulnerability has been identified in JoeyBling Bootplus versions prior to the commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The issue arises in the admin/sys/menu/list endpoint, where the sort and order parameters are not properly sanitized, allowing attackers to inject malicious SQL commands. This vulnerability can be exploited remotely, with known technical details and a public proof-of-concept exploit available.

Impact

Exploitation of this vulnerability allows for arbitrary SQL code execution, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the admin/sys/menu/list endpoint. Use the sort parameter to inject SQL payloads, taking advantage of the lack of input validation. The injected SQL can be used to extract database information, demonstrating the successful exploitation of the SQL injection flaw.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

JoeyBling Bootplus SQL Injection Vulnerability in Admin Menu List

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating