Title: SQL injection in search for users and groups in CrafterCMS
CVE ID: CVE-2023-26020
CVSSv3 Base Score: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Advisory Release Date: 27 Feb 2023
Advisory URL: https://labs.integrity.pt/advisories/CVE-2023-26020
Credits: Discovery by Gil Correia <gil.correia[at]devoteam.com>
There’s an SQLi in /studio/api/2/users and in /studio/api/2/groups, both on the parameter keyword. By applying an boolean based condition, if the condition is true, the response has all the results and if the condition is false the response as obviously no results (testing condition beeing ‘+AND+123=123–+-).