JoeyBling Bootplus SQL Injection Vulnerability in User Management List
Vulnerability
A critical SQL injection vulnerability has been identified in JoeyBling Bootplus versions up to commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The issue arises in the user management list administration page, specifically within the sorting functionality. The vulnerability can be exploited remotely, allowing attackers to manipulate the sort parameter to inject malicious SQL, potentially leading to unauthorized data access or manipulation.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a request to the '/admin/sys/user/list' endpoint. Include a crafted 'sort' parameter that exploits the lack of input validation, such as by injecting SQL payloads that could be executed by the database. The injection can be verified by, for example, extracting database user information through the injected SQL.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.