CVE-2020-35244

Vulnerability

A SQL injection vulnerability exists in the UserManager::addGroup method of FlamingoIM (through 2020-09-29). The groupname parameter passed to this method is directly concatenated into a SQL query without proper sanitization or parameterization [1]. This allows an attacker to inject arbitrary SQL commands by providing a crafted group name. The vulnerable code path is reachable when an attacker sends a request to create a group. The affected versions include all versions of FlamingoIM up to and including 2020-09-29 [1].

Exploitation

No authentication is required to trigger this vulnerability, as the group creation functionality is exposed to unauthenticated users. An attacker can send a crafted HTTP request (or client message) containing a malicious groupname string that includes SQL injection payloads. The injection occurs server-side, and the client application does not encrypt the transmission, meaning the payload can be sent in clear text [1]. For example, a payload such as groupname=test','1','1'); DROP TABLE t_group;-- could be used to modify or drop database tables.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the underlying database. This can lead to data exfiltration, data modification, unauthorized access to user credentials, or complete compromise of the FlamingoIM database [1]. The injection is in an INSERT statement, but other statements can be appended or modified to alter data or extract information.

Mitigation

As of the available references, no official patch or updated version has been released to address this vulnerability. The vendor may not have responded to the issue report on GitHub [1]. Until a fix is published, mitigation involves disabling access to the group creation functionality if possible, or implementing a web application firewall (WAF) rule to block SQL injection patterns in the groupname parameter. This CVE is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.