CVE-2023-24782 – Funadmin v3.2.0 contains a SQL injection vulner... (How to Fix)

Q: What is the severity of CVE-2023-24782?

CVE-2023-24782 has a CVSS score of 9.8 (CRITICAL). Funadmin v3.2.0 contains a SQL injection vulnerability in the id parameter at /databases/database/edit endpoint. This allows attackers to execute arbitrary SQL commands on the database. All systems running Funadmin v3.2.0 with the vulnerable endpoint accessible are affected.

📋 TL;DR

Funadmin v3.2.0 contains a SQL injection vulnerability in the id parameter at /databases/database/edit endpoint. This allows attackers to execute arbitrary SQL commands on the database. All systems running Funadmin v3.2.0 with the vulnerable endpoint accessible are affected.

💻 Affected Systems

Products:

Funadmin

Versions: v3.2.0

Operating Systems: All platforms running Funadmin

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation of Funadmin v3.2.0. No special configuration is required to be vulnerable.

📦 What is this software?

Funadmin by Funadmin

View all CVEs affecting Funadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Database information disclosure, data manipulation, and potential authentication bypass.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via web interface, making internet-facing instances particularly vulnerable.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or unauthenticated attacks depending on access controls.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are well-understood and easily weaponized. The GitHub issue shows proof of concept exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.2.1 or later

Vendor Advisory: https://github.com/funadmin/funadmin/issues/3

Restart Required: Yes

Instructions:

1. Backup your database and application files. 2. Download the latest version of Funadmin from the official repository. 3. Replace the vulnerable files with patched versions. 4. Restart the web application server. 5. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for the id parameter to only accept expected data types

Modify /databases/database/edit endpoint to validate id parameter as integer

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns

Add WAF rule to block SQL keywords in id parameter

🧯 If You Can't Patch

Block access to /databases/database/edit endpoint at network level
Implement strict authentication and authorization for database management functions

🔍 How to Verify

Check if Vulnerable:

Test the /databases/database/edit endpoint with SQL injection payloads in the id parameter (e.g., id=1' OR '1'='1)

Check Version:

Check Funadmin version in admin panel or configuration files

Verify Fix Applied:

Test the same endpoint with SQL injection payloads after patching to ensure they are rejected

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts after SQL injection attempts
Requests to /databases/database/edit with suspicious parameters

Network Indicators:

HTTP requests containing SQL keywords in parameters
Unusual traffic patterns to database management endpoints

SIEM Query:

source="web_logs" AND uri="/databases/database/edit" AND (param="id" AND value MATCH "('|\"|OR|AND|SELECT|UNION|--)")

📊 Metadata

CVE ID: CVE-2023-24782

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 8, 2023

Last Updated: March 5, 2025

🔗 References

https://github.com/funadmin/funadmin/issues/3 Exploit,Issue Tracking
https://github.com/funadmin/funadmin/issues/3 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24782, you might also want to check these: