CVE-2023-48049

A remote attacker sends an HTTP POST request to the `/blog/search/` route with a crafted `name` parameter containing SQL injection payloads [ref_id=1]. The controller does not require authentication, so any unauthenticated attacker can reach the endpoint [ref_id=1]. Because the database cursor is used directly, no access rights checking is performed, and no input validation or sanitization is applied, allowing arbitrary SQL injection [ref_id=1].

The vulnerable endpoint is the `search_contents` method in `controllers/main.py` of the `website_search_blog` module [ref_id=1]. The `name` parameter is passed directly into a SQL query executed via the database cursor without sanitization or parameterization [ref_id=1].

No official patch is provided in the bundle. The advisory suggests that a possible fix would be to use prepared statements to safely handle user-supplied input [ref_id=1]. Proper input validation and sanitization of the `name` parameter, combined with parameterized queries, would prevent SQL injection by ensuring user input is never concatenated directly into SQL statements [ref_id=1].

Send an HTTP POST request to `/blog/search/` with a body containing a crafted `name` parameter, for example: `name=dev'; UPDATE res_users SET password='whatever' WHERE login='admin'; select id as res_id, name as name, name as value from blog_post where name ILIKE 'dev` [ref_id=1]. This payload demonstrates privilege escalation by updating the admin user's password [ref_id=1].