Craft Commerce SQL Injection Vulnerability in Purchasables Table Sorting
Vulnerability
A SQL injection vulnerability has been identified in Craft Commerce versions 4.0.0 prior to 4.10.2 and 5.0.0 prior to 5.5.3. The issue arises in the purchasables table endpoint, where the sort parameter is not properly validated. An authenticated attacker can exploit this by injecting arbitrary SQL into the ORDER BY clause, potentially leading to unauthorized data access or manipulation.
Impact
Exploitation of this vulnerability allows for blind SQL injection, where an attacker can exfiltrate data character-by-character, modify or destroy data, and disrupt application availability.
Reproduction
To reproduce this vulnerability, log into the Craft Commerce control panel and navigate to the Orders section. Create a new order and intercept the AJAX request that retrieves the purchasables table. Modify the sort parameter to include a SQL injection payload, such as a subquery that introduces a delay, and send the request. The response will be delayed, confirming the successful injection.
Remediation
Users can update to Craft Commerce versions 4.10.2 or 5.5.3 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.