CVE-2021-44135

Name of the Vulnerable Software and Affected Versions Pagekit all versions

Description The issue concerns SQL Injection via Comment listing. Pagekit, a modular and lightweight CMS built with Symfony components and Vue.js, has a vulnerability in its SettingsController, specifically in the configAction that handles the order of comments listing. The allowed options, ASC and DESC, are concatenated directly to the SQL query without proper sanitization, leading to the SQL Injection vulnerability.

Recommendations For all versions, consider disabling the comment listing feature or restricting access to the SettingsController until a patch is available. As a temporary workaround, avoid using the configAction in SettingsController to set the order of comments listing. Restrict access to the vulnerable SQL query to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.