CVE-2023-34754
published 2023-06-14CVE-2023-34754: bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the pid parameter at admin/index.php?mode=settings&page=plugins&action=edit.
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.45%
87.5th percentile
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the pid parameter at admin/index.php?mode=settings&page=plugins&action=edit.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bloofox | bloofoxcms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandstatus=1&pid=14'+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+Ptkr%26send%3dSave&send=Save
path/admin/index.php
- →Time-based blind SQL injection: detect requests to /admin/index.php?mode=settings&page=plugins&action=edit with a `pid` parameter containing SQL sleep payloads; a response duration >= 6 seconds indicates successful injection.
- →The exploit requires authentication; look for a prior POST login request to /admin/index.php with username/password fields followed immediately by the injection request.
- →Confirm exploitation by checking that the response body contains both 'Active' and 'Inactive' strings alongside HTTP 200 status code on the second request.
- →The SQL injection payload targets the `pid` POST parameter using a time-based SLEEP(6) technique with comment terminator `-- Ptkr`.
- ·Vulnerability affects specifically bloofox (bloofoxCMS) version 0.5.2.1 only; other versions are not confirmed vulnerable.
- ·Exploitation requires prior authentication to the admin panel; the attacker must first obtain valid credentials before injecting via the pid parameter.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Bloofox v0.5.2.1 - SQL Injection
nuclei·CVSS 9.8
CVE-2023-34754 [CRITICAL] Bloofox v0.5.2.1 - SQL Injection
Bloofox v0.5.2.1 - SQL Injection
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the pid parameter at admin/index.php?mode=settings&page=plugins&action=edit.
Template:
id: CVE-2023-34754
info:
name: Bloofox v0.5.2.1 - SQL Injection
author: ritikchaddha
severity: critical
description: |
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the pid parameter at admin/index.php?mode=settings&page=plugins&action=edit.
impact: |
Allows attackers to execute arbitrary SQL queries, potentially leading to data leakage or data manipulation.
remediation: |
Update bloofox to version v0.5.2.2 or later to patch the SQL Injection vulnerability.
reference:
- https://ndmcyb.hashnode.dev/T-v0521-was-discovered-to-contain-many-sql-injection-vulnerabilit
No writeups or analysis indexed.
2023-06-14
Published