Slah CMS SQL Injection Vulnerability in vereador_ver.php Endpoint

A SQL injection vulnerability has been identified in Slah CMS versions through 1.5.0. The issue arises in the vereador_ver.php endpoint, where the id parameter is not properly sanitized before being included in a SQL query. This flaw allows remote attackers to inject malicious SQL commands, potentially leading to unauthorized access and exfiltration of database information, including sensitive administrative data.

Impact

Exploitation of this vulnerability allows for union-based SQL injection, enabling attackers to manipulate SQL queries and exfiltrate database information. This includes administrative credentials, which can be accessed through the application's response.

Reproduction

To reproduce this vulnerability, send a request to the vereador_ver.php endpoint with a crafted id parameter. The injection can be verified by appending a UNION SELECT payload to the id parameter, which will extract data from the database if successful.

Remediation

Users are advised to update Slah CMS to the latest patched version. The application should also be refactored to use parameterized queries instead of string concatenation for SQL command construction.