Craft Commerce SQL Injection Vulnerability in Inventory Levels Table Data Endpoint

A SQL injection vulnerability has been identified in Craft Commerce versions prior to 5.5.3. The issue arises in the inventory levels table data endpoint, where the sort[0][direction] and sort[0][sortField] parameters are directly concatenated into an addOrderBy() clause without proper validation or sanitization. This flaw allows authenticated attackers with access to the Commerce Inventory section to inject arbitrary SQL queries, potentially leading to a complete database compromise.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can exfiltrate, modify, or destroy database data. This includes the ability to manipulate database tables and records, potentially leading to a full database compromise.

Reproduction

To reproduce this vulnerability, log into the Craft CMS control panel and navigate to the Commerce Inventory section. Once there, click on any sortable column header to initiate a sort request. Intercept the request and modify the sort[0][direction] or sort[0][sortField] parameters by appending a SQL injection payload, such as ',sleep(2)', to the parameter values. After sending the modified request, observe the response delay, which confirms the successful injection.

Remediation

Users can update to Craft Commerce version 5.5.3 or later to address this vulnerability.