Login Sign Up

CVE-2017-11631

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2017-11631 is a critical SQL injection vulnerability in Fiyo CMS that allows attackers to execute arbitrary SQL commands via the 'id' parameter in the status.php controller. This affects all users running Fiyo CMS 2.0.7 with the vulnerable component enabled. Attackers can potentially read, modify, or delete database content.

💻 Affected Systems

Products:
  • Fiyo CMS
Versions: 2.0.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the status.php controller to be accessible, which is part of the standard installation.

📦 What is this software?

Fiyo Cms by Fiyo

View all CVEs affecting Fiyo Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution through database functions.

🟠

Likely Case

Database information disclosure, privilege escalation, and unauthorized data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple parameter manipulation required. Public exploit code exists in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.8 or later

Vendor Advisory: https://github.com/FiyoCMS/FiyoCMS/issues/7

Restart Required: No

Instructions:

1. Backup your database and files. 2. Download Fiyo CMS 2.0.8 or later from the official repository. 3. Replace the vulnerable file: dapur/app/app_user/controller/status.php with the patched version. 4. Verify the fix by testing the affected functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to sanitize the 'id' parameter before processing.

Edit dapur/app/app_user/controller/status.php and add input validation using PHP's filter_var() or prepared statements.

Web Application Firewall Rule

all

Block SQL injection patterns in requests to status.php.

Add WAF rule to detect and block SQL injection patterns in the 'id' parameter.

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries in the affected code.
  • Restrict access to the vulnerable endpoint using network controls or authentication.

🔍 How to Verify

Check if Vulnerable:

Test the status.php endpoint with SQL injection payloads in the 'id' parameter (e.g., id=1' OR '1'='1).

Check Version:

Check the CMS version in the admin panel or review the version file if available.

Verify Fix Applied:

Test the same SQL injection payloads after patching; they should be rejected or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • HTTP requests to status.php with suspicious 'id' parameter values containing SQL keywords

Network Indicators:

  • HTTP requests with SQL injection patterns in parameters

SIEM Query:

source="web_logs" AND uri="*status.php*" AND (param="*id=*'*" OR param="*id=*%27*" OR param="*id=*SELECT*" OR param="*id=*UNION*")

📊 Metadata

CVE ID: CVE-2017-11631
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: July 26, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-11631, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)