Blockreassurance Module on Drupal Sites Vulnerable to SQL Injection

CVECVE-2023-47110
CVSScvssV3_1: 9.1
SourceCVE-2023-47110

The Blockreassurance module, used on some Drupal websites to reassure customers, contained a vulnerability that could allow hackers to modify configuration settings through a SQL injection attack.

The module includes an AJAX function that allows updating values in the configuration table without proper validation or sanitization. A malicious actor could craft requests that modify settings or even execute arbitrary SQL commands on the database. This would give them control over the website and access to sensitive user data.

SQL injection is a common attack where malicious SQL code is inserted into an entry field for execution by the backend database. It has been a top web app vulnerability for many years. In this case, the Blockreassurance module did not properly sanitize user input before using it in SQL queries.

If you use a Drupal site with this module, you should update to version 5.1.4 or later which fixes this issue. It’s also a good idea to keep your software up-to-date in general to get the latest security patches. Website owners should also consider enabling additional security measures like a web application firewall.

Being aware of vulnerabilities affecting your tools is important for protecting your users’ data and your website. Keeping software updated with the latest patches is one of the best ways to stay secure online.

References