CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Decidim International Community Environment
Yes
Remote
Code Execution Escalation of Privileges Information Disclosure
A raw sql-statement that uses an interpolated variable exists in the adminroleactions method of the
papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb
).
An attacker with admin permissions could manipulate database queries in order to read out the database,
read files from the filesystem, write files from the filesystem. In the worst case, this could lead to remote code
execution on the server.
Description of the vulnerability for use in the CVE [ℹ] (https://cveproject.github.io/docs/content/key-details-
phrasing.pdf) : An improper neutralization of special elements used in an SQL command in the papertrail/version-
model
of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries
to disclose information, read and write files or execute commands.
Wolfgang Hotwagner
https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability/ https://portswigger.net/web-security/sql-injection
{ "nvd_published_at": "2024-11-12T16:15:21Z", "cwe_ids": [ "CWE-89" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-11-12T19:52:22Z" }