CVE-2022-26585

Vulnerability

Mingsoft MCMS v5.2.7 contains a SQL injection vulnerability in the /cms/content/list endpoint. The application fails to properly sanitize user-supplied input before using it in a SQL query, allowing an attacker to inject arbitrary SQL statements. The issue is triggered when accessing the list functionality without proper authentication or authorization controls [1][2].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the /cms/content/list endpoint. No authentication is required, as the vulnerable parameter is accessible to unauthenticated users. The attacker injects SQL code into one of the request parameters (such as ordering, filtering, or pagination fields) that is directly concatenated into a SQL query. The specific payload is captured in the reference issue [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized retrieval, modification, or deletion of sensitive data, including user credentials, content records, and system configuration. The impact is severe due to the potential for complete database compromise.

Mitigation

As of the publication date (2022-04-05), no official patch or fixed version has been released. The vulnerability remains unpatched for unauthenticated access. Users are advised to implement input validation, parameterized queries, and apply the principle of least privilege to the database connection. The issue is tracked on the Gitee repository [2].