feedyour.email - SQL Injection via Search Parameter

Advisory ID: RO-26-003
CVE ID: CVE-2025-XXXX (Pending)
Severity: Critical
Vendor: indirect
Product: feedyour.email
Version: <=2.4.1

Overview #

A SQL Injection vulnerability exists in feedyour.email. The vulnerability allows remote attackers to execute arbitrary SQL commands via the search functionality.

Vulnerability Details #

Affected Versions: <=2.4.1

Root Cause: The search parameter (params[:q]) is passed directly to the SQLite search() function without proper sanitization, allowing attackers to inject malicious SQL commands.

Vulnerable Code: The vulnerability exists in app/controllers/posts_controller.rb where user input is directly passed to the search function:

@posts = @posts.search(params[:q]).to_a

Exploitation Requirements #

  • No authentication required.
  • Attacker must have access to the search functionality.

Impact #

Remote attackers can exploit this vulnerability to:

  • Extract sensitive data from the database.
  • Modify or delete database contents.
  • Bypass authentication mechanisms.
  • Potentially achieve remote code execution depending on database configuration.

Proof of Concept #

Using sqlmap, the search parameter was confirmed vulnerable to SQL injection attacks. Boolean-based blind and UNION-based injections were successfully demonstrated.

Solution #

Upgrade to a patched version of feedyour.email that includes proper input sanitization using character whitelisting.

References #

Timeline:

  • [2025-12-29] - Reported
  • [2025-12-30] - Fixed

Credits: Omar Kurt