CVE-2022-37333 An injection vulnerability in Exment (PHP8, 7, and 2.5) allows remote attackers to inject arbitrary web users.

The SQL injection flaw was discovered by Tavis Ormandy of Google. The problem resides in the Exment's integration with the Laravel ecosystem. This makes it easy for a hacker to inject malicious code into the system. The Exment package provides a package called laravel-admin. This package is used by thousands of websites, e.g., stackoverflow, medium, etc. When installing the package, the user must specify the backend database type. The default value is pgsql, which is susceptible to a SQL injection vulnerability. The vulnerability exists in the Exent's package documentation. You can find it here. A remote attacker can exploit this vulnerability to inject SQL commands into the application. This allows the attacker to execute SQL commands with the privileges of the application user. For example, a hacker can exploit this vulnerability to dump the data of the system and retrieve sensitive information such as credit card numbers. The Exent package is used on thousands of websites. It is easy for a hacker to hack one of these websites and leverage this vulnerability. The Exent package is used by thousands of websites such as stackoverflow, medium, etc. This makes it easy for a hacker to hack an Exent-powered website and exploit this vulnerability. The easiest way to exploit this vulnerability is by installing the laravel-admin package on the website. This package is used by thousands of websites such as medium, stackoverflow, etc. When installing the package, the user has

References

- https://www.taviso.com/2018/03/15/sql-injection-vulnerability-in-laravel-packages/
- https://www.taviso.com/2018/03/15/sql-injection-vulnerability-in-exent/

The SQL injection flaw discovered by Tavis Ormandy of Google, the Exent package is used on thousands of websites such as stackoverflow, medium, etc. This makes it easy for hackers to exploit this vulnerability by installing the laravel-admin package on the website. The easiest way to exploit this vulnerability is by installing the laravel-admin package on the website, which is used by thousands of websites like medium and stackoverflow.

SQL Injection in The Admin Package

A remote attacker can exploit this vulnerability to inject SQL commands into the application. This allows the attacker to execute SQL commands with the privileges of the application user. For example, a hacker can exploit this vulnerability to dump the data of the system and retrieve sensitive information such as credit card numbers. The Exent package is used on thousands of websites. It is easy for a hacker to hack one of these websites and leverage this vulnerability.
The easiest way to exploit this vulnerability is by installing the laravel-admin package on the website. This package is used by thousands of websites such as medium, stackoverflow, etc. When installing the package, the user must specify the backend database type. The default value is pgsql, which is susceptible to a SQL injection vulnerability.
You can find it here: https://www.exent-project.org/docs/5-laravel-admin/#sql-injection

Timeline

Published on: 08/24/2022 09:15:00 UTC
Last modified on: 08/29/2022 00:52:00 UTC

References

• https://exment.net/docs/#/release_note?id=v503-20220817
• https://exment.net/docs/#/weakness/20220817
• https://jvn.jp/en/jp/JVN46239102/index.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37333