dimtion Shaarlier Tag TagsSource.java createTag sql injection

Vulnerability

In Shaarlier versions prior to 1.2.2 (inclusive), the createTag function in app/src/main/java/com/dimtion/shaarlier/TagsSource.java directly concatenates user-supplied input into SQL queries without sanitization or parameterization [1]. Specifically, the tag value and master account ID are interpolated into a SELECT query, enabling SQL injection when an attacker controls the tag value [2]. The affected component is the Tag Handler, and the vulnerability is present in all releases up to and including v1.2.2 [1].

Exploitation

An attacker with the ability to create or modify tags (such as a user of the Shaarli application) can supply a crafted tag value containing SQL metacharacters [2]. No special network position is required beyond normal application access; the attack vector is through the tag creation interface. The attacker can inject arbitrary SQL into the query executed against the underlying SQLite database, which runs with the privileges of the application [2].

Impact

Successful exploitation allows an attacker to read, modify, or delete arbitrary data in the Shaarlier database, including potentially sensitive information from the tags or related tables [2]. The confidentiality, integrity, and availability of the application's data are compromised, with the attacker gaining the same level of access as the application's database user [1].

Mitigation

The issue is fixed in version 1.2.3, released on the project's GitHub releases page [1]. Users are strongly advised to upgrade to this version immediately. The fix, implemented in commit 3d1d9b239d9b3cd87e8bed45a0f02da583ad371e, replaces string concatenation with parameterized queries using ? placeholders [2]. No viable workaround exists for unpatched versions. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.