CVE Details
Basic Information
| Title | ADOdb’s sqlite3 driver allows SQL injection |
|---|---|
| Type | cve |
| Published | 2025-08-05T00:12:52.505Z |
| Modified | 2025-08-05T00:12:52.505Z |
Product Information
| Vendor | ADOdb |
|---|---|
| Product | ADOdb |
| Version | < 5.22.10 |
CVSS Information
| Base Score | 10.0 (CRITICAL) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L |
AI Analysis
| AI Description | ADOdb versions before 5.22.10 have a SQL injection vulnerability in the sqlite3 driver. This occurs when metaColumns(), metaForeignKeys(), or metaIndexes() methods are called with uncontrolled data, allowing attackers to execute arbitrary SQL. The issue is fixed in version 5.22.10. |
|---|---|
| AI Severity | Critical |
| AI Vendor | ADOdb |
| AI Product | ADOdb |
| AI Version | <5.22.10 |
Affected Products
- ADOdb ADOdb < 5.22.10
Additional Information
| CWE List | CWE-89 |
|---|---|
| Source | GitHub_M |
Description
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method’s $table parameter.