Givanz Vvveb SQL Injection Vulnerability in Import Functionality
Vulnerability
A critical SQL injection vulnerability has been identified in Givanz Vvveb versions through 1.0.7.3. The issue resides in the import function of the file admin/controller/tools/import.php, within the Raw SQL Handler component. This vulnerability allows an authenticated administrator to upload a .sql file, which can be exploited to execute malicious SQL commands, potentially leading to unauthorized data access or manipulation.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, log into the admin panel and navigate to Tools -> Import. Upload a .sql file containing a crafted SQL payload designed to exploit the SQL injection vulnerability, such as one that extracts sensitive data from the database.
Remediation
Users are advised to update to the latest version of Givanz Vvveb, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.