TimGeyssens UIOMatic uioMaticObject.r sql injection

An attacker with backend access sends a GET request to `/uiomatic/object/GetById?typeAlias=cities&id=10` and injects a SQL time-based payload into the `id` parameter, such as `%20waitfor%20delay'0%3a0%3a10'--` [ref_id=1]. The application reflects the injected value directly into a SQL query without sanitization, allowing the attacker to infer database structure or extract data through time-based blind SQL injection [ref_id=1]. The maintainer confirmed the vulnerability is exploitable only with backend access [ref_id=1].

The vulnerable code is in `/src/UIOMatic/wwwroot/backoffice/resources/uioMaticObject.resource.js` at line 104, where the `id` parameter is directly concatenated into a GET request URL: `$http.get(ocBaseUrl + "GetById?typeAlias=" + type + "&id=" + id)` [ref_id=1]. The backend endpoint `/uiomatic/object/GetById` processes this unsanitized `id` parameter, leading to SQL injection [ref_id=1].

No code-level patch has been published for this vulnerability. The pull request #227 only added a `SECURITY.md` file and did not modify the vulnerable code [ref_id=1]. The maintainer stated they are not actively working on the project and invited a pull request to fix the issue [ref_id=1]. Remediation would require parameterized queries or input sanitization on the `id` parameter before it is used in SQL statements.

1. Log into the UIOMatic backend and click on the UI-O-Matic module. 2. Click any entry and capture the resulting request. 3. Observe a GET request to `/uiomatic/object/GetById?typeAlias=cities&id=10`. 4. Inject a time-based SQL payload into the `id` parameter, e.g., `%20waitfor%20delay'0%3a0%3a10'--`. 5. The application responds after the specified delay, confirming SQL injection [ref_id=1].