CVE-2024-37843: 
PHP vulnerability analysis and mitigation

Craft CMS up to version 3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. The vulnerability was assigned CVE-2024-37843 and was disclosed on June 25, 2024. The issue affects Craft CMS installations running versions up to 3.7.31 that have the GraphQL API endpoint enabled (NVD).

The vulnerability is a blind time-based SQL injection that can be exploited through the GraphQL API endpoint. The issue stems from insufficient input validation in the orderBy argument, which returns verbose error messages containing full file paths and executed queries. The vulnerability can be triggered by including a backtick character in the query. The attack requires crafting specific queries that can complete the current query without errors while executing injected SQL commands. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD, Smith Security).

The vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on the backend database. Since the default MySQL database user in Craft CMS runs as root, attackers could potentially read sensitive data from the database and possibly achieve remote code execution by uploading malicious files such as PHP webshells (Smith Security).

The vulnerability has been patched in Craft CMS version 3.7.32. Users running affected versions should upgrade to version 3.7.32 or later to mitigate this vulnerability (Smith Security).