ITFlow SQL Injection Vulnerability in Role Management

A SQL injection vulnerability has been identified in ITFlow versions through 25.06. The issue arises in the 'role_id' parameter within the profile editing feature. An authenticated attacker with admin privileges can exploit this vulnerability through blind SQL injection, allowing for the extraction of arbitrary data from the database. The root cause of the vulnerability is inadequate input sanitization for integer parameters, enabling direct manipulation of SQL queries.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, data modification, or privilege escalation, depending on the database permissions and application logic.

Reproduction

To reproduce this vulnerability, an authenticated user with admin rights can access the profile editing feature. By injecting crafted SQL payloads into the 'role_id' parameter, the attacker can manipulate the SQL query execution. The lack of proper input validation allows these injections to be executed, leading to data extraction or modification from the database.

Remediation

Users can update to ITFlow version 25.07 or later, where this SQL injection vulnerability has been fixed.