Invia #831646: grit42 grit v0.8.0 through v0.11.0 SQL Injectioninformazioni

Titologrit42 grit v0.8.0 through v0.11.0 SQL Injection
DescrizioneThe Grit::Assays::DataTableEntity model interpolates user-controlled params[:data_table_id] directly into a Rails .joins(string) clause. The model is protected by entity_crud_with read: [], allowing any active grit user (including zero-role accounts) to reach the sink. A preceding DataTable.find(params[:data_table_id]) call coerces the value via to_i, so a payload like 1 OR 1=1 passes .find() but is interpolated unchanged into the JOIN, enabling subquery-based blind extraction. A zero-role authenticated attacker extracts the administrator's single_access_token from grit_core_users via boolean-blind brute force, then replays it as a permanent Authorization: Bearer credential for full administrator account takeover. The same primitive reads any column the database role can see, including hashed passwords, password-reset tokens, activation tokens, and second-factor tokens.
Fonte⚠️ https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/tree/main/2026/SQL%20Injection%20in%20grit42%20Data%20Table%20Entity%20Endpoint
Utente
 Anonymous User
Sottomissione16/05/2026 19:18 (30 giorni fa)
Moderazione14/06/2026 14:19 (29 days later)
StatoAccettato
Voce VulDB370848 [Grit42 Grit fino a 0.11.0 data_table_entity.rb DataTableEntity iniezione SQL]
Punti20

PrecedenteVisione D'ensembleIl prossimo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!