CVE-2020-21119

Vulnerability

SQL injection vulnerability exists in Kliqqi-CMS version 2.0.2 in the file admin/admin_update_module_widgets.php. The recordIDValue parameter is not wrapped in single quotes and is not sanitized before being used in a SQL query at line 47 [1]. The vulnerability is reachable when the admin has installed modules; if the relevant tables are empty, time-based injection may not be observable [1].

Exploitation

An attacker must have administrative access to the Kliqqi-CMS admin panel to reach the vulnerable script. The attacker can supply a crafted recordIDValue parameter containing SQL injection payloads, which are directly interpolated into the query without proper escaping. Time-based blind SQL injection techniques are possible when the database tables contain data [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries, leading to privilege escalation within the application and potentially arbitrary code execution on the underlying server [1].

Mitigation

As of the latest available references, no patched version has been publicly released for CVE-2020-21119. Users should apply input validation and parameterized queries to the vulnerable parameter as a workaround. The project may be unmaintained; consider migrating to an alternative CMS if no fix is provided [1].