CVE-2020-35243

Vulnerability

FlamingoIM (Flamingo) through 2020-09-29 contains a SQL injection vulnerability in the UserManager::updateUserInfoInDb method [1]. Additionally, the code review reveals SQL injection flaws in related methods: UserManager::addUser (where userid, username, and nickname are unsanitized) and UserManager::updateUserTeamInfoInDbAndMemory (where newteaminfo is injected) [1]. The client does not encrypt transmitted data, and no input filtering is performed server-side [1]. All versions up to the 2020-09-29 release are affected.

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the FlamingoIM server without requiring authentication [1]. The injection is performed directly in client-facing fields such as registration username or team info, as the client-side length limits can be bypassed by hardcoding payloads [1]. For example, a payload ad','ad','ads',sleep(10));# injected into the registration fields causes a 10-second SQL delay, confirming injection on the t_user table [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL statements, potentially leading to extraction of user credentials, modification of user data, or denial-of-service via time-based payloads [1]. The attacker gains full read/write access to the database with the privileges of the database user configured for the application [1].

Mitigation

No official fix has been released as of the latest references [1]. Users should mitigate risk by applying strong input validation and parameterized queries (prepared statements) in the UserManager methods, and by enforcing encryption between client and server [1]. The codebase is publicly available for patching [1].