CVE-2024-48222: 
PHP vulnerability analysis and mitigation

Funadmin v5.0.2 contains a SQL injection vulnerability in the /curd/table/edit path. The vulnerability was discovered and reported on September 15, 2024, and was assigned the identifier CVE-2024-48222. The affected software is Funadmin version 5.0.2, specifically in the Curd One Click Command Mode component (GitHub Issue).

The vulnerability exists in the edit method within the Funadmin\addons\curd\app\curd\controller\Table.php file. The issue stems from insufficient filtering of the ID parameter, which is directly concatenated into SQL statements without proper sanitization. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while CISA-ADP assessed it with a more severe score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The SQL injection vulnerability allows authenticated attackers with backend administrator privileges to execute arbitrary SQL queries against the database, potentially leading to unauthorized access, modification, or deletion of sensitive information (GitHub Issue).