Craft CMS SQL Injection Vulnerability in Element Indexes

A SQL injection vulnerability has been identified in Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. The issue arises in the 'element-indexes/get-elements' endpoint, where the 'criteria[orderBy]' parameter is not properly sanitized before being used in database queries. This flaw allows an attacker with Control Panel access to inject arbitrary SQL into the ORDER BY clause. The vulnerability can be exploited by omitting the 'viewState[order]' parameter or by setting both parameters to the same payload.

Impact

Exploitation of this vulnerability allows for blind SQL injection, where an attacker can exfiltrate, modify, or destroy database data. The injected SQL executes per row, enabling data extraction character-by-character and causing potential delays that could be exploited.

Reproduction

To reproduce this vulnerability, log into the Craft CMS Control Panel and navigate to any element index, such as 'Users', 'Entries', or 'Assets'. Intercept the POST request to '/index.php?p=admin/actions/element-indexes/get-elements' and modify the JSON body to include a crafted SQL payload in the 'criteria[orderBy]' parameter. Send the request and observe the response for a delay, indicating successful exploitation.

Remediation

Users can update to Craft CMS versions 4.16.18 or 5.8.22, where this vulnerability has been patched.