CVE-2024-37791

Vulnerability

Detail

DuxCMS3 v3.1.3 suffers from a SQL injection vulnerability in the keyword parameter of the /article/Content/index?class_id endpoint. The vulnerable code is in App/system/admin/SystemExtendAdmin.php at line 42, where the $value from the request is directly concatenated into a LIKE query without sanitization [2]. The $pageParams array is obtained from the request() function and URL-decoded, allowing an attacker to inject malicious SQL payloads [2].

Exploitation

To exploit the vulnerability, an attacker must have a valid authenticated session cookie [2]. The injection point is the keyword parameter, where a crafted payload like 'and(select*from(select+if(ascii(substr(database(),1,1))>97,sleep(1),0))a//union//select+1)= can be used to perform time-based blind SQL injection [2]. The lack of input filtering allows the attacker to use SQL map or manual techniques to extract data.

Impact

Successful exploitation enables an attacker to extract database content, such as the current database name, through time-based inference [2]. While the CVSS score of 6.0 indicates medium severity, the ability to enumerate the database could lead to further compromise of the CMS.

Mitigation

As of the latest references, no official patch has been released for this vulnerability in version 3.1.3. Users should manually sanitize user inputs, use parameterized queries, or update to a patched version if available. The vendor's repository [1] may contain future fixes.