Hi.Events SQL Injection Vulnerability in Sort Parameter Handling

A SQL injection vulnerability has been identified in Hi.Events, an open-source event management platform, affecting versions 0.8.0-beta.1 prior to 1.7.1-beta. Multiple repository classes improperly validate the user-supplied sort_by query parameter before passing it to Eloquent's orderBy() method. This oversight allows for SQL injection, particularly in the PostgreSQL environment used by the application, which supports stacked queries. The vulnerability has been patched in version 1.7.1-beta.

Impact

Exploitation of this vulnerability allows for SQL injection, with the potential to exfiltrate data via stacked queries in PostgreSQL. This could include access to sensitive information such as attendee personal data, payment details, and promo codes. The vulnerability requires authentication as an organizer to exploit.

Reproduction

The vulnerability can be reproduced by sending a request to the API endpoint for event attendees, including a crafted sort_by parameter that exploits the SQL injection flaw. For example, an authenticated organizer could append a SQL injection payload, such as a command to delay the response, confirming the injection was successful.

Remediation

The vulnerability has been addressed in version 1.7.1-beta. Users should update to this version. For those maintaining their own versions, apply the same validation pattern used in the admin endpoint to all repository classes that handle the sort_by parameter.