SPIP Interface Traduction Objets Plugin Authenticated SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the SPIP interface_traduction_objets plugin, affecting versions prior to 4.3.3. The vulnerability resides in the file interface_traduction_objets_pipelines.php, where the plugin processes translation requests. It improperly handles the id_parent parameter by directly inserting it into a SQL WHERE clause using sql_getfetsel(), without adequate input validation or parameterization. This flaw allows authenticated attackers with editor-level privileges to inject malicious SQL into the id_parent parameter, potentially manipulating the database query. Exploitation of this vulnerability could lead to unauthorized disclosure or modification of database information, and may cause a denial-of-service condition, depending on the database settings and user privileges.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, which could be used to manipulate database queries. This could result in unauthorized data access or modification, and potentially cause a denial-of-service condition, depending on the database configuration and user privileges.

Remediation

Users can update to version 2.2.2 or later to address this vulnerability.