An attacker can inject arbitrary SQL code via system\database\DB_query_builder.php join() function. To exploit this vulnerability, an attacker would host a specially crafted request on a website or via a network connection.
CVE Solution: - Upgrade CodeIgniter to version 3.1.13 or higher. - Ensure your server software is up-to-date. - Restrict access to DB_query_builder.php via a firewall. - Monitor DB_query_builder.php access closely. - Avoid using functions such as join() or where() in plugin code.
References !
The reference for this article is [1].
Timeline
Published on: 10/07/2022 11:15:00 UTC
Last modified on: 10/08/2022 01:35:00 UTC