ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
The vulnerability exists in the metaColumns(), metaForeignKeys() and metaIndexes() methods, which do not properly filter the value passed as the table name ($table). An attacker can provide a crafted table name containing malicious SQL fragments that will be directly embedded in the query sent to the SQLite3 database. Lack of proper escaping means that the supplied payload is interpreted as a syntactic part of the SQL query, not as data.
An attacker can execute arbitrary SQL commands on the SQLite3 database, leading to disclosure, modification or deletion of data, and in specific configurations also to further system integrity compromise.
Update the ADOdb library to version 5.22.10, where the issue has been fixed. As a workaround until updating, pass only trusted and controlled data to the $table parameter of the metaColumns(), metaForeignKeys() and metaIndexes() methods.
ADOdb in versions 5.22.9 and earlier, only in scenarios where the PHP application connects to SQLite3 database and calls metaColumns(), metaForeignKeys() or metaIndexes() methods with untrusted data as the table name.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L