A SQL Injection vulnerability was found in the tempLoanID parameter on the /admin/modules/circulation/loan.php page of the Circulation module. This vulnerability can be exploited by an authenticated admin user to execute arbitrary SQL queries on the backend database, potentially leading to unauthorized access or manipulation of sensitive data.
The vulnerability was reported on January 8, 2025. The issue was validated and a patch was deployed on the same day. A CVE was reserved on January 22, 2025.
Vulnerable Code:
The tempLoanID parameter is used in a search form. If user input is not
properly validated or sanitized, it can lead to SQL Injection.
Details
- Affected Component: /admin/modules/circulation/loan.php
- Vulnerable Parameter: tempLoanID
- Type of Vulnerability: SQL Injection (SQLi)
- Authentication Required: Yes (Admin user)
Steps to Reproduce
- Login as an admin user and access the /admin/modules/circulation/loan.php page.
- On this page, there is a search field. Enter any text into the search field.
- Intercept the request using Burp Suite by enabling the "Intercept" feature.
- Save the intercepted request into a file (e.g., tes.txt).
- Use sqlmap with the -r option to perform an attack on the
intercepted request. For example, run the following command in your
terminal:
sqlmap -r tes.txt --batch --level=5 --risk=3 --dump
- Observe the results from sqlmap, which may indicate successful SQL injection and possible exploitation.
Impact
An attacker with admin privileges can manipulate the backend database,
potentially viewing or altering sensitive data and escalating the attack
to compromise the system's integrity.
Recommendations
- Use prepared statements and parameterized queries to mitigate the risk of SQL injection.
- Sanitize and validate user input, especially for parameters like tempLoanID.
https://github.com/slims/slims9_bulian/issues/270
https://nvd.nist.gov/vuln/detail/CVE-2025-22980