Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00NWhjLXI0ZmotcWo4Oc03vQ
SQL injection in pagekit/pagekit
Pagekit is a modular and lightweight CMS built with Symfony components and Vue.js. The configAction in SettingsController allow user to set the order of comments listing. The allowed options are ASC and DESC. That config then get concatenated directly to the SQL query. Due to the fact that there wasnt any sanitizion before saving that config, it can lead to the SQL Injection vulnerability.
Permalink: https://github.com/advisories/GHSA-45hc-r4fj-qj89JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NWhjLXI0ZmotcWo4Oc03vQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-45hc-r4fj-qj89, CVE-2021-44135
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-44135
- https://huntr.dev/bounties/82f09b08-ceeb-4249-8855-b8bc718c4868/
- https://github.com/advisories/GHSA-45hc-r4fj-qj89
Affected Packages
packagist:pagekit/pagekit
Dependent packages: 0Dependent repositories: 4
Downloads: 419 total
Affected Version Ranges: <= 1.0.18
No known fixed version
All affected versions: 0.8.8, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18