CVE-2024-25400

A vulnerability report claims that Subrion CMS 4.2.1 contains a SQL injection flaw in the file ia.core.mysqli.php. The report points to code that constructs SQL queries without sanitizing user input [1], specifically suggesting that methods like getAll can be exploited [4]. However, the official description notes that this claim is disputed by multiple third parties [3].

Critics argue that the PHP file in question only contains a class definition and provides no mechanism for accepting external input, making the injection vector implausible [3]. The disputed vulnerability appears to involve the \iaDb class and its _get method, but the reported method is not actually present in the file according to the disputers [3].

The project's official page describes Subrion as a PHP/MySQL CMS [2], which would make it a potential target for SQL injection if the code were vulnerable. However, the lack of a clear injection point in the specified file has led to the dispute. The impact, if the vulnerability were real, could include unauthorized database access and data manipulation [1], but the disputed nature suggests the claim may be invalid.

No official patch has been released for this specific issue, and the dispute indicates that the claim might be a false positive. The NVD has not yet provided a CVSS score for this CVE [3], and the Subrion project has not issued a formal response confirming the vulnerability. Users should monitor official channels for any future updates.