Craft CMS SQL Injection Vulnerability in Element Search Controller

A SQL injection vulnerability has been identified in the ElementSearchController's actionSearch() method of Craft CMS. This issue arises because the controller lacks the necessary protection to remove unsupported criteria attributes, a fix that was previously applied to the ElementIndexesController. As a result, authenticated control panel users can exploit this vulnerability by injecting arbitrary SQL through various query properties, such as criteria[where] and criteria[orderBy]. The exploitation of this vulnerability allows for boolean-based blind SQL injection, enabling attackers to extract the entire database contents.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, which can be used to manipulate database queries and extract sensitive information from the database. In this case, the vulnerability could be exploited to access the full database contents through boolean-based blind injection.

Remediation

Users are advised to update Craft CMS to version 5.9.9 or later, where this vulnerability has been patched.