SQL Injection in instantsoft/icms2

Vulnerability

A SQL injection vulnerability exists in the datagrid advanced filter functionality of instantsoft/icms2 prior to version 2.16.1. The flaw allows an attacker to inject arbitrary SQL queries through unsanitized input parameters processed by the filter. The commit 3a6b148 [1] addresses this by properly escaping or validating the filter inputs. All versions before 2.16.1 are affected.

Exploitation

An attacker with access to the datagrid filter (typically an authenticated user with permissions to view or manage data grids) can craft a malicious input that bypasses input validation. The attacker does not require special privileges beyond those needed to interact with the datagrid. By sending a specially crafted request to the filter endpoint, the attacker can inject SQL commands that are executed against the database.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL statements. This can lead to unauthorized reading, modification, or deletion of database records, including sensitive user data. In worst-case scenarios, the attacker may escalate privileges or gain full control over the application's database, potentially compromising the entire system.

Mitigation

The vulnerability is fixed in version 2.16.1, released on or before September 13, 2023. Users should upgrade to this version or later immediately. No workarounds are documented. The issue was reported via the Huntr bug bounty platform [2] and is not listed in the CISA KEV catalog as of the publication date.