Share
## https://sploitus.com/exploit?id=PACKETSTORM:214784
feedyour.email - SQL Injection via Search Parameter
    Advisory ID: RO-26-003
    CVE ID: CVE-2025-XXXX (Pending)
    Severity: Critical
    Vendor: indirect
    Product: feedyour.email
    Version: <=2.4.1
    
    
    Overview #
    
    A SQL Injection vulnerability exists in feedyour.email. The vulnerability allows remote attackers to execute arbitrary SQL commands via the search functionality.
    
    
    Vulnerability Details #
    
    Affected Versions: <=2.4.1
    
    Root Cause: The search parameter (params[:q]) is passed directly to the SQLite search() function without proper sanitization, allowing attackers to inject malicious SQL commands.
    
    Vulnerable Code: The vulnerability exists in app/controllers/posts_controller.rb where user input is directly passed to the search function:
    
    @posts = @posts.search(params[:q]).to_a
    
    
    
    Exploitation Requirements #
    
        No authentication required.
        Attacker must have access to the search functionality.
    
    Impact #
    
    Remote attackers can exploit this vulnerability to:
    
        Extract sensitive data from the database.
        Modify or delete database contents.
        Bypass authentication mechanisms.
        Potentially achieve remote code execution depending on database configuration.
    
    Proof of Concept #
    
    Using sqlmap, the search parameter was confirmed vulnerable to SQL injection attacks. Boolean-based blind and UNION-based injections were successfully demonstrated.
    
    
    Solution #
    
    Upgrade to a patched version of feedyour.email that includes proper input sanitization using character whitelisting.
    
    
    References #
    
        GitHub Pull Request #732
        Fix Commit
    
    Timeline:
    
        [2025-12-29] - Reported
        [2025-12-30] - Fixed
    
    Credits: Omar Kurt