SQL Injection in instantsoft/icms2

Vulnerability

A SQL injection vulnerability exists in the tag autocomplete functionality of instantsoft/icms2 prior to version 2.16.1-git. The flaw is located in the run() method of an unspecified controller (likely the tags controller) where user input from the term parameter is directly concatenated into SQL queries without proper sanitization [1]. Affected versions include all releases before the commit that introduced the fix.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the tag autocomplete endpoint with a malicious term parameter containing SQL injection payloads. No authentication is required, and the attack can be performed remotely over the network [1][2]. The attacker does not need any special privileges or user interaction.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL statements on the underlying database. This can lead to unauthorized access to sensitive data, modification of database content, or potential compromise of the entire application [2]. The impact is high, as the attacker can achieve full read/write access to the database.

Mitigation

The vulnerability is fixed in version 2.16.1-git (commit 1dbc3e6). Users should update to this version or later [1]. No workarounds are available for unpatched versions. The vendor has acknowledged the fix via the commit linked in the advisory.