cbcvebase.
CVE-2024-37843
published 2024-06-25

CVE-2024-37843: Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
51.28%
98.8th percentile
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.

Affected

2 ranges
VendorProductVersion rangeFixed in
craftcmscms0 – 3.7.31
craftcmscraft_cms< 3.7.313.7.31

Detection & IOCsextracted from sources · hover to see the quote

url/api/
command{"query":"query IntrospectionQuery {assets(orderBy: \"`assets`.`volumeId`,extractvalue(1,concat(0x0a,concat('{{matcher}}',version()))) --\", limit: 5){filename}}"}
otherhttp.favicon.hash:-47932290
othericon_hash=-47932290
  • Exploit targets the GraphQL API endpoint at /api/ via POST request with Content-Type: application/json; look for orderBy injection using extractvalue() XPATH error-based SQLi pattern in the request body.
  • Response Content-Type must be application/json to confirm the endpoint is the Craft CMS GraphQL API.
  • Shodan fingerprinting: search for Craft CMS instances via HTTP header 'X-Powered-By: Craft CMS' or HTML body containing 'craftcms'.
  • ·The vulnerability is unauthenticated (PR:N) and affects Craft CMS up to and including v3.7.31 via the GraphQL API; no authentication token or session is required to trigger the SQL injection.
  • ·The SQLi payload uses MySQL-specific XPATH error-based extraction (extractvalue/concat); detection signatures are MySQL-specific and will not fire against non-MySQL backends.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.