Summary
A 'userId' variable in app/domain/files/repositories/class.files.php is not parameterized. An authenticated attacker can send a carefully crafted POST request to /api/jsonrpc to exploit an SQL injection vulnerability.
I was able to dump the following sensitive information from the database:
- 2FA secret keys
- Hashed passwords
- Emails
- Active session tokens
Impact
Confidentiality is impacted as it allows for dumping information from the database. It is possible that it affects availability and integrity as well, however I was unable to modify/drop any tables.
cyber-brent Reporter
Summary
A 'userId' variable in
app/domain/files/repositories/class.files.phpis not parameterized. An authenticated attacker can send a carefully crafted POST request to/api/jsonrpcto exploit an SQL injection vulnerability.I was able to dump the following sensitive information from the database:
Impact
Confidentiality is impacted as it allows for dumping information from the database. It is possible that it affects availability and integrity as well, however I was unable to modify/drop any tables.