CVE-2020-21667
Description
In fastadmin-tp6 v1.0, in the file app/admin/controller/Ajax.php the 'table' parameter passed is not filtered so a malicious parameter can be passed for SQL injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Fastadmin-tp6 v1.0 SQL injection in Ajax.php via unsanitized 'table' parameter allows admin-level database compromise.
Vulnerability
The table parameter in the file app/admin/controller/Ajax.php (line 145) is not sanitized before being used in SQL queries, leading to SQL injection. This affects fastadmin-tp6 v1.0 only.
Exploitation
An attacker must have administrator credentials and be logged into the backend. A crafted POST request to /admin/ajax/weigh with a malicious table parameter can inject SQL commands. Reference [1] includes a proof-of-concept payload.
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries, potentially leaking sensitive data or modifying the database.
Mitigation
No official fix has been released. Users should manually validate and sanitize the table parameter in the affected code until a patch is provided.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- fastadmin-tp6/fastadmin-tp6description
- Range: = v1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/che-my/fastadmin-tp6/issues/2mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.