ThinkSAAS has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php#2 (bypass of CVE-2020-35337)
0x01 Summay In last December last year, there were security problems caused by improper URLDecode. Reference https://github.com/thinksaas/ThinkSAAS/issues/24 To sum up, it is in ThinkSAAS-master\app\topic\action\admin\topic.php , improper filtering of keyword parameters leads to SQL injection. In last year's fix plan (click Here Direct), the first is $title Changed $kw Variable, And, after tsFilter Function filtering. However, there are still security risks now. # Responsible Vulnerability Disclosure info Title: ThinkSAAS has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php Desc: ThinkSAAS before 3.52 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter(need the privilege of admin), allowing logged attackers to execute arbitrary SQL commands. This is a bypass of CVE-2020-35337. CVSS v3.1 Vector: - 7.5 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:H/