CVE-2024-37843
published 2024-06-25CVE-2024-37843: Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
51.28%
98.8th percentile
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | 0 – 3.7.31 | — |
| craftcms | craft_cms | < 3.7.31 | 3.7.31 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/
command{"query":"query IntrospectionQuery {assets(orderBy: \"`assets`.`volumeId`,extractvalue(1,concat(0x0a,concat('{{matcher}}',version()))) --\", limit: 5){filename}}"}
otherhttp.favicon.hash:-47932290
othericon_hash=-47932290
- →Exploit targets the GraphQL API endpoint at /api/ via POST request with Content-Type: application/json; look for orderBy injection using extractvalue() XPATH error-based SQLi pattern in the request body.
- →Response Content-Type must be application/json to confirm the endpoint is the Craft CMS GraphQL API.
- →Shodan fingerprinting: search for Craft CMS instances via HTTP header 'X-Powered-By: Craft CMS' or HTML body containing 'craftcms'.
- ·The vulnerability is unauthenticated (PR:N) and affects Craft CMS up to and including v3.7.31 via the GraphQL API; no authentication token or session is required to trigger the SQL injection.
- ·The SQLi payload uses MySQL-specific XPATH error-based extraction (extractvalue/concat); detection signatures are MySQL-specific and will not fire against non-MySQL backends.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS SQL injection vulnerability via the GraphQL API endpoint
osv·2024-06-25
CVE-2024-37843 [CRITICAL] Craft CMS SQL injection vulnerability via the GraphQL API endpoint
Craft CMS SQL injection vulnerability via the GraphQL API endpoint
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
GHSA
Craft CMS SQL injection vulnerability via the GraphQL API endpoint
ghsa·2024-06-25
CVE-2024-37843 [CRITICAL] CWE-89 Craft CMS SQL injection vulnerability via the GraphQL API endpoint
Craft CMS SQL injection vulnerability via the GraphQL API endpoint
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
No detection rules found.
Nuclei
Craft CMS <=v3.7.31 - SQL Injection
nuclei·CVSS 9.8
CVE-2024-37843 [CRITICAL] Craft CMS <=v3.7.31 - SQL Injection
Craft CMS <=v3.7.31 - SQL Injection
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
Template:
id: CVE-2024-37843
info:
name: Craft CMS <=v3.7.31 - SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
impact: |
Unauthenticated attackers can execute arbitrary SQL queries via the GraphQL API endpoint, potentially compromising the database.
remediation: |
Update Craft CMS to a version later than v3.7.31.
reference:
- https://blog.smithsecurity.biz/craft-cms-unauthenticated-sqli-via-graphql
- https://github.com/gsmith257-cyber/CVE-2024-37843-POC
classification:
cvss-metrics: CVSS:3.1/AV:
No writeups or analysis indexed.
2024-06-25
Published