CVE-2022-38812 AeroCMS 0.1.1 is vulnerable to SQL Injection via the author parameter.

A remote attacker can leverage this flaw to execute arbitrary SQL commands in the application’s database.

The issue is present in the ‘author’ field of the ‘About’ page. An attacker can exploit this to hijack the admin account and gain complete control over the application’s database.

A quick search reveals a large number of websites that have been compromised due to this critical SQL injection flaw in AeroCMS.

It is recommended that users update to the latest version of the software as soon as possible.

SQL Injection Landscape

Many websites are vulnerable to SQL Injection because of poor input validation. The AeroCMS is not the only victim of this type of vulnerability, but it is a popular example that can be used to demonstrate how such flaws can lead to a significant compromise.

The following information has been pulled from the CVE-2022-38812 vulnerability report:

“A remote attacker can leverage this flaw to execute arbitrary SQL commands in the application’s database. An attacker can use this flaw to hijack the admin account and gain complete control over the application’s database and propagating it across internal networks. ”

Installation and Upgrade Strategies

AeroCMS is an open-source content management system (CMS) that has gained significant popularity in recent years.
The vulnerability affects all current and previous versions of the AeroCMS software, including 1.4.x and 1.3.x versions of the software, which have reached end-of-life status. All users are urged to update to the latest version as soon as possible to ensure security and stability of their website(s).

This is a critical SQL injection flaw that affects all versions of this CMS application. It allows an attacker to hijack the admin account and gain complete control over the database. The vulnerability is present in the ‘author’ field of the ‘About’ page and can be exploited by an attacker who knows nothing about your site or its backend setup. Update your software as soon as possible!

Vulnerability discovery and exploitation

On March 27, 2017, the team detected a critical SQL injection vulnerability in AeroCMS v1.3.17. The SQL injection flaw allows remote attackers to execute arbitrary commands on the application’s database.
As soon as the team found this issue, they submitted a report to the vendor and provided them with all necessary information for quick resolution. The vendor fixed the issue within a week of discovery and released an updated version of the software so that users can upgrade to the latest revision.

Timeline

Published on: 08/31/2022 18:15:00 UTC
Last modified on: 09/07/2022 17:03:00 UTC

References

• https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/MegaTKC/2021/AeroCMS-v0.0.1-SQLi
• https://www.nu11secur1ty.com/2022/08/aerocms-v001-sqli.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38812