SQL Injection in galette/galette


Reported on

Nov 8th 2021


Hi, I could find a SQL Injection when adding a user.

From OWASP : A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

Proof of Concept

From the administrator panel:

  1. Add a user and intercept the request
  2. In the id_status field place the payload (SELECT 1 FROM (SELECT(SLEEP(10)))a)-- - to perform a 10s sleep.


  • Access to the database in read/write mode
We are processing your report and will contact the galette team within 24 hours. a year ago
We have contacted a member of the galette team and are waiting to hear back a year ago
galette/galette maintainer validated this vulnerability a year ago
JoMar has been awarded the disclosure bounty
The fix bounty is now up for grabs
Johan Cwiklinski marked this as fixed in 0.9.6 with commit 8e9406 a year ago
Johan Cwiklinski has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation