Craft Commerce SQL Injection Vulnerability in Product and Variant Queries

A SQL injection vulnerability has been identified in Craft Commerce versions 5.0.0 prior to 5.6.0. The issue arises in the 'element-indexes/get-elements' endpoint, where the 'criteria[orderBy]' parameter is not properly sanitized before being used in database queries. This vulnerability allows authenticated control panel users to inject arbitrary SQL, particularly into the 'ORDER BY' clause, exploiting boolean-based blind SQL injection. As a result, attackers could extract sensitive database information, including security keys that could be used to forge admin sessions for privilege escalation.

Impact

Exploitation of this vulnerability allows for blind SQL injection, enabling attackers to exfiltrate or potentially modify database information. Additionally, extraction of security keys could lead to unauthorized admin access.

Reproduction

To reproduce this vulnerability, log into the Craft Commerce control panel and navigate to any element index. Intercept the POST request to the 'element-indexes/get-elements' endpoint and modify the JSON body to include a crafted SQL injection payload in the 'criteria[orderBy]' parameter. Send the request and observe the response for signs of successful exploitation, such as a delay indicating SQL injection via a 'SLEEP' payload.

Remediation

Users can upgrade to Craft Commerce version 5.6.0 or later, where this vulnerability has been fixed.