Listmonk SQL Injection Vulnerability in QuerySubscribers Function Allows Privilege Escalation

A SQL injection vulnerability has been identified in Listmonk version 4.1.0, specifically within the QuerySubscribers function. This vulnerability allows attackers to manipulate SQL queries, potentially leading to unauthorized access or actions, such as escalating privileges to that of a superuser. The issue arises from the improper handling of SQL query permissions for non-superadmin users.

Impact

Exploitation of this vulnerability allows for unauthorized SQL query execution, with the potential to escalate privileges to a superuser level.

Reproduction

To reproduce this vulnerability, a non-superadmin user account with the 'subscribers:get_all' permission can be used to send a request to the 'GET /api/subscribers' API endpoint. The absence of a proper permission check allows the user to execute arbitrary SQL queries, which can be crafted to access the 'sessions' table and retrieve superadmin session information.

Remediation

Users can upgrade to Listmonk version 5.0.0 or later, where this vulnerability has been fixed. Instructions for upgrading are available in the Listmonk documentation.