CVE-2024-48224

Funadmin v5.0.2 has an arbitrary file read vulnerability in /curd/index/editfile...

CVE-2024-48223

Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/fieldlist...

CVE-2024-48227

Funadmin 5.0.2 has a logical flaw in the Curd one click command deletion function, which can result in a Denial of Service DOS...

FunAdmin 安全漏洞

FunAdmin is FunAdmin open source a lightweight and high-color backend development system based on ThinkPHP6+Layui development. A security vulnerability exists in FunAdmin version 5.0.2, which stems from a logic flaw in the Curd one-click command delete function that could lead to a denial of...

CVE-2024-48227

Funadmin 5.0.2 has a logical flaw in the Curd one click command deletion function, which can result in a Denial of Service DOS...

CVE-2024-48228

An issue was found in funadmin 5.0.2. The selectfiles method in \backend\controller\sys\Attachh.php directly stores the passed parameters and values into the param parameter without filtering, resulting in Cross Site Scripting XSS...

CVE-2024-48230

CVE-2024-48230 affects funadmin 5.0.2 in the index method of backend/controller/auth/Auth.php, where the parentField parameter enables SQL Injection. Multiple sources (NVD, Red Hat, Veracode, OSV, GHSA/GitHub advisories, CVE lists) confirm the vulnerability and its impact on data confidentiality,...

CVE-2024-48225

Funadmin v5.0.2 contains an arbitrary file deletion vulnerability in the /curd/index/delfile endpoint. Multiple connected sources consistently describe this issue, noting that lack of proper access control allows unauthorized deletion of files. The vulnerability is categorized as a high-integrity...

CVE-2024-48222

Summary: CVE-2024-48222 affects Funadmin v5.0.2 with a SQL injection in the /curd/table/edit endpoint. The vulnerability stems from insufficient input validation, allowing untrusted data to be used directly in SQL queries. Connected sources corroborate a SQL injection risk and indicate potential ...

CVE-2024-48226

Funadmin 5.0.2 has a SQL injection vulnerability in curd/table/savefield. The issue arises from improper input handling, enabling manipulation of database queries and potential unauthorized data access/alteration. This is confirmed across multiple sources (GHSA, OSV, NVD/NVD-derived entries, Vera...

CVE-2024-48223

Funadmin v5.0.2 is affected by a SQL injection in the /curd/table/fieldlist API endpoint. The root cause is improper handling/validation of input in that endpoint, enabling attacker-controlled SQL commands. Documented impact scope includes potential data disclosure/modification with high severity...

CVE-2024-48224

Funadmin v5.0.2 has an arbitrary file read vulnerability in the /curd/index/editfile endpoint. The issue is documented across multiple sources (NVD entry CVE-2024-48224 and Red Hat, Veracode, OSV, Snyk, GHSA advisories, CNNVD, PT Security) and is consistently described as an arbitrary file read/l...

CVE-2024-48218

Funadmin v5.0.2 is affected by a SQL injection in the /curd/table/list endpoint. The vulnerability is caused by improper input sanitization in that endpoint (supported by Veracode description and Snyk report citing the list method in curd/controller/Table.php). Exploitation could allow attackers ...

FunAdmin 安全漏洞

FunAdmin is FunAdmin open source a lightweight and high-color backend development system based on ThinkPHP6+Layui development. A security vulnerability exists in FunAdmin version 5.0.2, which originates from a SQL injection vulnerability in /curd/table/edit...

CVE-2024-48227

CVE-2024-48227 concerns Funadmin 5.0.2, where a logical flaw in the Curd one-click command deletion function can cause a Denial of Service (DOS). The available documents identify the affected software and the faulty delete logic as the root cause, and they consistently describe impact as DoS. No ...

PT-2024-33033 · Funadmin · Funadmin

Name of the Vulnerable Software and Affected Versions: Funadmin version 5.0.2 Description: The issue is a SQL injection vulnerability located in the /curd/table/fieldlist API endpoint. This allows for potential exploitation by injecting malicious SQL code. No information is provided about the...

CVE-2024-48229

Funadmin 5.0.2 is affected by a SQL injection in the Curd one-click command mode plugin. The vulnerability arises from improper input validation, allowing user-supplied data to be directly included in SQL queries without sanitization. This affects the Curd one-click command mode plugin and can im...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the selectFields parameter in the index function in Auth.php. Remediation There is no fixed version for funadmin/funadmin. References - GitHub Issue - Vulnerable Code...

SQL injection in funadmin

Funadmin 5.0.2 is vulnerable to SQL Injection via the selectFields parameter in the index method of \app\backend\controller\auth\Auth.php...

GHSA-7PP4-388X-2XQJ SQL injection in funadmin

Funadmin 5.0.2 is vulnerable to SQL Injection via the selectFields parameter in the index method of \app\backend\controller\auth\Auth.php...