YesWiki SQL Injection Vulnerability in Bazar Module

A SQL injection vulnerability has been identified in the YesWiki bazar module, affecting versions through 4.6.0. The issue arises in the EntryManager.php file, specifically at line 704, where the 'id_fiche' value from the POST request is directly concatenated into a SQL query without proper sanitization or parameterization. This vulnerability allows authenticated users to manipulate SQL queries, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, confirmed through time-based and error-based techniques. The vulnerability could be exploited to extract sensitive information from the database, such as user data or application secrets.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the '/api/entries/{formId}' endpoint with a crafted 'id_fiche' value that includes SQL injection payloads. The injection can be confirmed by exploiting the SQL injection vulnerability to, for example, execute a 'SLEEP' command and observe the response delay.

Remediation

Users are advised to update to YesWiki version 4.6.1, where this vulnerability has been patched.