CVE-2024-57095

Vulnerability

In Go-CMS v1.1.10 and earlier, the /cms/users/export and /cms/roles/export endpoints directly concatenate user-supplied id parameters into SQL queries without sanitization. This SQL injection flaw exists in the export functionality of these two controllers and is present in all versions up to and including v1.1.10 [1][2].

Exploitation

An attacker must have a valid authenticated session with permission to access the export endpoints (i.e., the POST /cms/roles/export and POST /cms/users/export privileges). With such access, the attacker can send a crafted POST request containing malicious SQL in the id parameter. The request includes a JWT authorization token, but the exploit does not require the token to be from an administrative account [1].

Impact

Successful exploitation allows a remote attacker to execute arbitrary SQL queries, which can lead to full database compromise including data exfiltration, modification, and deletion. The CVSS score indicates high impact, and the vendor's issue description rates the vulnerability severity as high [1][2].

Mitigation

As of the last available reference (2025-01-24), no patched version has been released. The vendor has acknowledged the vulnerability, but no official fix or workaround is documented. Users should restrict network access to the /cms/users/export and /cms/roles/export endpoints until a patch is provided [1][2].