CVE-2026-30655 Overview
A SQL injection vulnerability exists in the Solicitante::resetaSenha() function of esiclivre/esiclivre version 0.2.2 and earlier. This vulnerability allows unauthenticated remote attackers to gain unauthorized access to sensitive information via the cpfcnpj parameter in /reset/index.php. The flaw stems from insufficient input sanitization in the password reset functionality, enabling attackers to manipulate SQL queries and potentially extract, modify, or delete database contents.
Critical Impact
Unauthenticated attackers can exploit this SQL injection vulnerability to access sensitive data stored in the application's database without requiring any prior authentication or user interaction.
Affected Products
- esiclivre/esiclivre version 0.2.2 and earlier
- All installations using the vulnerable Solicitante::resetaSenha() function
- Deployments with exposed /reset/index.php endpoint
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-30655 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-30655
Vulnerability Analysis
This SQL injection vulnerability resides in the password reset functionality of the esiclivre application. The Solicitante::resetaSenha() function fails to properly sanitize user-supplied input from the cpfcnpj parameter before incorporating it into SQL queries. This allows attackers to inject malicious SQL statements that are executed against the underlying database.
The vulnerability is accessible via the network without requiring any authentication or privileges. No user interaction is necessary to exploit this flaw, making it particularly dangerous for internet-facing deployments. Successful exploitation can compromise the confidentiality and integrity of data stored in the application's database.
Root Cause
The root cause of this vulnerability is improper input validation in the Solicitante::resetaSenha() method. The cpfcnpj parameter, intended to accept Brazilian CPF or CNPJ identification numbers for password reset operations, is directly concatenated or interpolated into SQL queries without proper parameterization or escaping. This classic SQL injection pattern (CWE-89) allows attacker-controlled data to break out of the intended data context and execute as SQL commands.
Attack Vector
The attack vector is network-based, targeting the /reset/index.php endpoint. An unauthenticated attacker can craft a malicious HTTP request containing SQL injection payloads in the cpfcnpj parameter. The vulnerability can be exploited using standard SQL injection techniques including:
- Union-based injection to extract data from other tables
- Boolean-based blind injection to infer database contents
- Time-based blind injection when no direct output is available
- Error-based injection to extract information through database error messages
For technical details and proof-of-concept information, see the GitHub PoC Repository.
Detection Methods for CVE-2026-30655
Indicators of Compromise
- Unusual or malformed requests to /reset/index.php containing SQL syntax characters such as single quotes, double dashes, or UNION statements
- Database query errors in application logs related to the password reset functionality
- Unexpected database queries executed against tables not typically accessed during password reset operations
- Anomalous data extraction patterns or bulk data access from the database
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block SQL injection patterns in the cpfcnpj parameter
- Implement application-level logging to capture all requests to /reset/index.php with full parameter details
- Monitor database query logs for suspicious queries originating from the password reset function
- Use intrusion detection systems (IDS) with SQL injection signatures targeting password reset endpoints
Monitoring Recommendations
- Enable verbose logging for the esiclivre application, particularly the password reset module
- Configure real-time alerting for SQL error messages in web server and application logs
- Monitor for unusual database connection patterns or query execution times that may indicate exploitation attempts
- Review access logs for repeated requests to /reset/index.php from single IP addresses
How to Mitigate CVE-2026-30655
Immediate Actions Required
- Restrict access to the /reset/index.php endpoint using network-level controls or web server configuration
- Implement WAF rules to filter SQL injection patterns in the cpfcnpj parameter
- Consider temporarily disabling the password reset functionality until a patch is applied
- Review database access logs for any signs of prior exploitation
Patch Information
Check the esiclivre GitHub repository for updated releases that address this vulnerability. Users should upgrade to a version newer than 0.2.2 once a patched release becomes available. Review the GitHub PoC Repository for additional technical details and mitigation guidance.
Workarounds
- Apply input validation at the web server level to restrict the cpfcnpj parameter to alphanumeric characters only
- Use a reverse proxy or WAF to sanitize incoming requests to the password reset endpoint
- Implement database user privilege restrictions to limit the potential impact of SQL injection
- Consider implementing a CAPTCHA or rate limiting on the password reset functionality to slow down exploitation attempts
# Apache mod_rewrite example to block SQL injection patterns
# Add to .htaccess or Apache configuration
RewriteEngine On
RewriteCond %{QUERY_STRING} (union|select|insert|delete|drop|update|concat|char|hex) [NC]
RewriteRule ^reset/index\.php$ - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
