SQL Injection in LMS
Description
An SQL Injection vulnerability exists in LMS (LAN Management System) before commit 4cb30a7 within the "tarifflist.php" module due to insufficient sanitization of the POST "tg[]" parameter. The application directly concatenates user-supplied array values into an SQL query using "implode()", allowing authenticated attackers to perform Error-Based SQL injection and extract sensitive database information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=4cb30a7
Patches
Vulnerability mechanics
Root cause
"Insufficient sanitization of the POST `tg[]` parameter allows direct concatenation of user-supplied array values into an SQL query via `implode()`."
Attack vector
An authenticated attacker sends a crafted POST request to the `tarifflist.php` module with malicious values in the `tg[]` parameter. Because the application uses `implode()` to join the array elements directly into an SQL query, the attacker can inject arbitrary SQL fragments. This enables Error-Based SQL injection, allowing extraction of sensitive database information. The attack requires authentication but no special privileges beyond a valid session.
Affected code
The vulnerability resides in `modules/tarifflist.php` within the `GetTariffList()` function. The POST parameter `tg[]` is passed as the `$tags` array and directly concatenated into an SQL query via `implode()` without sanitization. The patch adds a call to `Utils::filterIntegers($tags)` to validate the array values before use.
What the fix does
The patch adds a single line `$tags = Utils::filterIntegers($tags);` before the array is used in the SQL query. `Utils::filterIntegers()` ensures that every element in the `$tags` array is an integer, stripping or rejecting any non-numeric values. This prevents malicious SQL fragments from being concatenated into the query, closing the injection vector entirely.
Preconditions
- authThe attacker must have an authenticated session on the LMS application.
- networkThe attacker must be able to send POST requests to the tarifflist.php module.
- inputThe tg[] parameter must be accepted and processed by the server without prior sanitization.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/chilek/lms/commit/4cb30a70e7e3d8a0ea53afa2dbef19d5243d449bmitrepatch
- cert.pl/posts/2026/06/CVE-2026-40455mitrethird-party-advisory
- lms.org.plmitreproduct
News mentions
0No linked articles in our index yet.