CVE-2021-45014

Vulnerability

TaoCMS 3.0.2 contains a SQL injection vulnerability in the background administration panel. The vulnerable code resides at line 59 in taocms/include/Model/Cms.php. The update() method directly employs the id parameter from the request in an SQL statement without sanitizing it with intval. The specific parameter is id in the endpoint action=cms&ctrl=update&id=26. An attacker must be logged into the background with administrative privileges to exploit this issue. [1]

Exploitation

To exploit, an attacker first logs into the TaoCMS background using administrative credentials, such as the default admin account. The vulnerable endpoint is accessed via action=cms&ctrl=update. The id parameter (e.g., id=26) is then manipulated to inject SQL commands. For example, using the SQLMap tool, an attacker can automate the injection to extract data. No special network position is required beyond access to the admin panel. [1]

Impact

Successful exploitation leads to SQL injection, allowing an authenticated attacker to extract sensitive information from the database, including user credentials and other data managed by the CMS. This could lead to full compromise of the application's data integrity and confidentiality. The attacker gains database-level access, potentially escalating to further system compromise. [1]

Mitigation

As of the publication date, TaoCMS 3.0.2 is the affected version, and no official patch has been released. The vendor (taogogo) was notified via the GitHub issue tracker [1], but no fixed version is available. A workaround for administrators is to ensure the id parameter is properly sanitized with intval in the code, or restrict access to the background panel to trusted users only. Users should monitor the repository for updates. [1]