📄 Description (English)
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
🤖 AI Executive Summary
Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 contain a critical SQL Injection vulnerability in the element-indexes/get-elements endpoint via the criteria[orderBy] parameter. An authenticated attacker with Control Panel access can execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Patches are available in versions 4.16.18 and 5.8.22, and exploitation requires valid credentials but poses significant risk to organizations using vulnerable Craft CMS instances.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 20:54
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Craft CMS for content management, particularly in media, publishing, e-commerce, and government digital services sectors, face significant risk. The vulnerability affects: (1) Media and Publishing companies managing digital content platforms; (2) E-commerce businesses using Craft for product catalogs; (3) Government agencies deploying Craft for citizen-facing digital services; (4) Financial services firms using Craft for customer portals. The impact is elevated for organizations handling sensitive customer data, financial information, or classified government content. ARAMCO subsidiaries, STC digital services, and SAMA-regulated fintech platforms using Craft CMS are particularly at risk.
🏢 Affected Saudi Sectors
Media and Publishing
E-commerce and Retail
Government and Public Sector
Financial Services
Telecommunications
Healthcare
Energy and Utilities
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Craft CMS instances in your environment and document their versions
2. Restrict Control Panel access to trusted administrators only; implement IP whitelisting if possible
3. Monitor database query logs for suspicious SQL patterns in ORDER BY clauses
4. Review access logs for unauthorized Control Panel login attempts
PATCHING GUIDANCE:
1. Upgrade Craft CMS 4.x installations to version 4.16.18 or later
2. Upgrade Craft CMS 5.x installations to version 5.8.22 or later
3. Test patches in staging environment before production deployment
4. Schedule patching during maintenance windows to minimize service disruption
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in criteria[orderBy] parameter
2. Use database activity monitoring (DAM) to detect and alert on suspicious queries
3. Implement principle of least privilege for database service accounts
4. Enable database query logging and audit trails
5. Restrict Control Panel access to VPN/corporate network only
DETECTION RULES:
1. Monitor POST requests to /element-indexes/get-elements endpoint
2. Alert on criteria[orderBy] parameters containing SQL keywords: UNION, SELECT, INSERT, DELETE, DROP, EXEC, SCRIPT
3. Monitor for viewState[order] parameter manipulation or omission in suspicious requests
4. Track database error logs for SQL syntax errors from application queries
5. Implement IDS/IPS signatures for Craft CMS SQL injection attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نسخ Craft CMS في بيئتك وقم بتوثيق إصداراتها
2. قيد الوصول إلى لوحة التحكم للمسؤولين الموثوقين فقط؛ قم بتنفيذ القائمة البيضاء للعناوين IP إن أمكن
3. راقب سجلات استعلامات قاعدة البيانات للأنماط المريبة في جملة ORDER BY
4. راجع سجلات الوصول لمحاولات تسجيل الدخول غير المصرح بها إلى لوحة التحكم
إرشادات التصحيح:
1. قم بترقية تثبيتات Craft CMS 4.x إلى الإصدار 4.16.18 أو أحدث
2. قم بترقية تثبيتات Craft CMS 5.x إلى الإصدار 5.8.22 أو أحدث
3. اختبر التصحيحات في بيئة التجريب قبل نشرها في الإنتاج
4. جدول التصحيح أثناء نوافذ الصيانة لتقليل انقطاع الخدمة
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. قم بتنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر أنماط حقن SQL في معامل criteria[orderBy]
2. استخدم مراقبة نشاط قاعدة البيانات (DAM) للكشف والتنبيه عن الاستعلامات المريبة
3. قم بتنفيذ مبدأ الامتياز الأقل لحسابات خدمة قاعدة البيانات
4. تفعيل تسجيل استعلامات قاعدة البيانات ومسارات التدقيق
5. قيد الوصول إلى لوحة التحكم إلى VPN/الشبكة الداخلية فقط
قواعد الكشف:
1. راقب طلبات POST إلى نقطة نهاية /element-indexes/get-elements
2. تنبيه على معاملات criteria[orderBy] التي تحتوي على كلمات مفتاحية SQL: UNION, SELECT, INSERT, DELETE, DROP, EXEC, SCRIPT
3. تتبع معامل viewState[order] للتلاعب أو الحذف في الطلبات المريبة
4. تتبع سجلات أخطاء قاعدة البيانات لأخطاء بناء جملة SQL من استعلامات التطبيق
5. تنفيذ توقيعات IDS/IPS لمحاولات حقن SQL في Craft CMS
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for system development and maintenance
ECC 2024 A.14.2.5 - Secure development policy
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Monitoring and logging of access to information and information processing facilities
🔵 SAMA CSF
SAMA CSF 2.1 - Asset Management and Inventory
SAMA CSF 3.2 - Vulnerability Management
SAMA CSF 3.3 - Patch Management
SAMA CSF 4.1 - Access Control and Authentication
SAMA CSF 5.2 - Detection and Analysis
🟡 ISO 27001:2022
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.8.2 - Privileged access rights
ISO 27001:2022 A.8.3 - Information access restriction
ISO 27001:2022 A.14.2 - Development security
ISO 27001:2022 A.14.3 - Test data
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure security patches are installed within one month of release
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 8.2 - Ensure proper user authentication
PCI DSS 10.2 - Implement automated audit trails for access to cardholder data
🔗 References & Sources 3
🔗
https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2
security-advisories@github.com
Patch
🔗
https://github.com/craftcms/cms/releases/tag/5.8.22
security-advisories@github.com
Release Notes
🔗
https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj
security-advisories@github.com
Exploit
Vendor Advisory
Patch
📦 Affected Products / CPE 8 entries
craftcms:craft_cms
craftcms:craft_cms
craftcms:craft_cms:4.0.0
craftcms:craft_cms:4.0.0
craftcms:craft_cms:4.0.0
craftcms:craft_cms:4.0.0
craftcms:craft_cms:5.0.0
craftcms:craft_cms:5.0.0