| Title | FastAdmin 1.7.0.20250506 SQL Injection |
|---|
| Description | A time-based blind SQL injection vulnerability exists in FastAdmin <= 1.7.0.20250506. The vulnerability is located in the selectpage() method of Backend.php. The custom parameter's field name is not properly sanitized before being used in WHERE clause, allowing authenticated backend users to inject arbitrary SQL commands and extract sensitive database information including usernames, password hashes, and database structure. |
|---|
| Source | ⚠️ https://note-hxlab.wetolink.com/share/1924AEdgGFYu |
|---|
| User | pemic (UID 93604) |
|---|
| Submission | 12/18/2025 04:18 (4 months ago) |
|---|
| Moderation | 12/19/2025 11:46 (1 day later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 337601 [FastAdmin up to 1.7.0.20250506 Backend Controller Backend.php selectpage custom/searchField sql injection] |
|---|
| Points | 20 |
|---|