cbcvebase.
CVE-2023-34754
published 2023-06-14

CVE-2023-34754: bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the pid parameter at admin/index.php?mode=settings&page=plugins&action=edit.

PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.45%
87.5th percentile
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the pid parameter at admin/index.php?mode=settings&page=plugins&action=edit.

Affected

1 ranges
VendorProductVersion rangeFixed in
bloofoxbloofoxcms

Detection & IOCsextracted from sources · hover to see the quote

url/admin/index.php?mode=settings&page=plugins&action=edit
commandstatus=1&pid=14'+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+Ptkr%26send%3dSave&send=Save
path/admin/index.php
  • Time-based blind SQL injection: detect requests to /admin/index.php?mode=settings&page=plugins&action=edit with a `pid` parameter containing SQL sleep payloads; a response duration >= 6 seconds indicates successful injection.
  • The exploit requires authentication; look for a prior POST login request to /admin/index.php with username/password fields followed immediately by the injection request.
  • Confirm exploitation by checking that the response body contains both 'Active' and 'Inactive' strings alongside HTTP 200 status code on the second request.
  • The SQL injection payload targets the `pid` POST parameter using a time-based SLEEP(6) technique with comment terminator `-- Ptkr`.
  • ·Vulnerability affects specifically bloofox (bloofoxCMS) version 0.5.2.1 only; other versions are not confirmed vulnerable.
  • ·Exploitation requires prior authentication to the admin panel; the attacker must first obtain valid credentials before injecting via the pid parameter.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.