Simple Admin Core SQL Injection Vulnerability Allowing Data Leakage and Disruption of Operations

A limited SQL injection vulnerability has been identified in Simple Admin Core versions 1.2.0 through 1.6.7. The issue arises in the '/sys-api/role/update' interface, where user input is directly inserted into an SQL statement without proper sanitization. This vulnerability could lead to partial data leakage or disruption of normal system operations.

Impact

Exploitation of this vulnerability allows for SQL injection, which could be used to manipulate SQL queries and potentially access or modify database information. The vulnerability could also be exploited to disrupt normal system operations, such as causing a denial-of-service condition by occupying database resources.

Reproduction

To reproduce this vulnerability, send a POST request to the '/sys-api/role/update' endpoint. Include a 'code' parameter with a value that contains a crafted SQL injection payload, such as one that uses SQL comment syntax to manipulate the SQL query. The injection takes advantage of the application's SQL query handling, potentially leading to unauthorized data access or modification.

Remediation

The vulnerability has been addressed in a commit by the author, which is available on the Simple Admin Core GitHub repository.