CVE-2019-19250

Vulnerability

OpenTrade before 2019-11-23 contains a SQL injection vulnerability in server/modules/api/v1.js and server/utils.js. The onGetMarketSummary function directly concatenates the market query parameter into a SQL query without proper sanitization, allowing an attacker to inject arbitrary SQL. This affects all versions prior to the commit a3eb3c645cfd1f3d310c10e4fb1f2f64a4d5e45e [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the onGetMarketSummary endpoint with a malicious market parameter. For example, a value like " OR 1=1 -- can be used to manipulate the query. No authentication is required; the attacker only needs network access to the affected endpoint. The fix in the referenced commit replaces the direct string concatenation with a call to utils.GetCoinFromTicker, which uses parameterized queries [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands on the backend database. This could lead to unauthorized reading, modification, or deletion of data, including sensitive information such as coin details and user data. The exact impact depends on the database configuration and permissions.

Mitigation

Update to a version after the commit a3eb3c645cfd1f3d310c10e4fb1f2f64a4d5e45e, which fixes the SQL injection by using safe query methods [1]. No workarounds have been provided; users should apply the patch immediately. The vulnerability was fixed before public disclosure.