Bolt CMS SQL Injection Vulnerability in Order Parameter

A SQL injection vulnerability has been identified in Bolt CMS versions through 3.7.0. The issue resides in the 'order' parameter of the content listing pages, specifically within the OrderDirective component. This vulnerability allows authenticated attackers with low-level privileges to exploit the parameter, leading to the extraction of sensitive information from the database.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive database information, including administrative password hashes, and potentially allow for a complete database compromise.

Reproduction

To reproduce this vulnerability, log into the Bolt CMS backend with a low-privileged account, such as an Editor. Then, navigate to the content overview pages and inject a time-based SQL payload into the 'order' parameter. If successful, a delay in the server response time will indicate that the SQL injection has been exploited.

Remediation

Users are advised to update to Bolt CMS version 3.7.1 or later, where this vulnerability has been addressed.