SQL Injection in forkcms/forkcms
Oct 30th 2021
When deleting submissions which belong to a formular (made with module
FormBuilder), the parameter
id is vulnerable for SQL injection.
Proof of Concept
- Call the URL
- To test this URL successfully, you need a valid formular and some submissions to that formular. You might have to adjust the parameter
form_idto another value.
- After calling this URL, you have a new entry in
The attacker can tamper data in the database as they want.