CVE-2014-100011 in Sendy
Summary
by MITRE
SQL injection vulnerability in /send-to in Sendy 1.1.9.1 allows remote attackers to execute arbitrary SQL commands via the c parameter.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/22/2025
The vulnerability identified as CVE-2014-100011 represents a critical sql injection flaw within the Sendy email marketing platform version 1.1.9.1. This vulnerability specifically affects the /send-to endpoint which is designed to handle recipient list management and email sending functionality. The flaw arises from insufficient input validation and sanitization of user-provided data, creating an exploitable condition that allows remote attackers to manipulate the underlying database queries. The vulnerability is particularly dangerous because it exists in a core functionality that handles email recipient data, making it a prime target for attackers seeking to compromise email marketing systems and potentially gain unauthorized access to sensitive user information.
The technical implementation of this vulnerability stems from improper parameter handling within the c parameter of the send-to endpoint. When users provide recipient data through this interface, the application fails to properly sanitize or escape the input before incorporating it into sql queries. This creates a classic sql injection vector where malicious actors can append sql commands to the c parameter, effectively bypassing normal authentication and authorization mechanisms. The vulnerability maps directly to CWE-89 which defines sql injection as the insertion of malicious sql code into input fields for execution by the database. Attackers can leverage this flaw to perform unauthorized data access, data modification, or even complete database compromise depending on the privileges of the database user account.
The operational impact of this vulnerability extends beyond simple data theft, as it enables attackers to manipulate email campaigns, access user databases, and potentially use the compromised system as a launchpad for further attacks. Email marketing platforms like Sendy typically store sensitive user information including email addresses, campaign data, and potentially personal identifiers that attackers can exploit for phishing campaigns or identity theft. The remote nature of this vulnerability means that attackers do not require physical access to the system or knowledge of internal network structures to exploit it. This characteristic aligns with ATT&CK technique T1071.004 which covers application layer protocol manipulation, and T1190 which addresses exploitation of remote services. The vulnerability could also facilitate privilege escalation if the database user account has elevated permissions, potentially allowing attackers to execute system commands or access additional system resources.
Mitigation strategies for this vulnerability should focus on immediate input validation and parameterized query implementation. Organizations using Sendy version 1.1.9.1 should upgrade to the latest available version where this vulnerability has been patched. The fix typically involves implementing proper input sanitization, using prepared statements or parameterized queries, and ensuring that all user-provided data is properly escaped before database insertion. Network-level protections such as web application firewalls can provide additional defense in depth, though they should not be relied upon as the sole mitigation. Security monitoring should include detection of unusual sql query patterns and unauthorized access attempts to the send-to endpoint. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other components of the email marketing infrastructure. The vulnerability also highlights the importance of keeping all software components updated and following secure coding practices that prevent sql injection through proper input validation and output encoding.