CVE-2020-21665

Name of the Vulnerable Software and Affected Versions fastadmin version 1.0.0.20191212 beta fastadmin-tp6 version 1.0

Description The issue allows for SQL injection when a malicious parameter is passed in the URL /admin/ajax/weigh, after a user with administrator rights has logged in. The table parameter in the file app/admin/controller/Ajax.php is not filtered, enabling the SQL injection.

Recommendations For fastadmin version 1.0.0.20191212 beta, consider restricting access to the /admin/ajax/weigh URL until a patch is available. For fastadmin-tp6 version 1.0, avoid using the table parameter in the app/admin/controller/Ajax.php file until the issue is resolved. As a temporary workaround, consider disabling the SQL injection vulnerable functionality in the /admin/ajax/weigh URL until a patch is available.