CVE-2021-44135
SQL injection in pagekit/pagekit
9.8
CRITICAL
CVSS 3.1
EPSS 0.27%
Description
Pagekit is a modular and lightweight CMS built with Symfony components and Vue.js. The configAction in SettingsController allow user to set the order of comments listing. The allowed options are ASC and DESC. That config then get concatenated directly to the SQL query. Due to the fact that there wasnt any sanitizion before saving that config, it can lead to the SQL Injection vulnerability.
How to fix CVE-2021-44135
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2021-44135 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 1.0.18
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |