Craft Commerce, an ecommerce platform for Craft CMS, contains an SQL injection vulnerability in versions 5.0.0 through 5.5.4. The vulnerability occurs because the input sanitization blocklist implemented in ElementIndexesController only filters top-level Yii2 Query properties like where and orderBy, but does not sanitize the hasVariant and hasProduct properties. These properties internally call Craft::configure() on a subquery without proper sanitization, reintroducing the SQL injection risk. Authenticated control panel users can exploit this vulnerability via boolean-based blind SQL injection to extract sensitive database information, including security keys that enable forging admin sessions and privilege escalation. The issue is resolved in version 5.6.0.

An attacker with authenticated control panel access can exploit this vulnerability to perform boolean-based blind SQL injection, allowing extraction of arbitrary database contents. This includes sensitive security keys that could be used to forge admin sessions, leading to privilege escalation and potentially full control over the application.

This vulnerability has been fixed in Craft Commerce version 5.6.0. Users should upgrade to version 5.6.0 or later to remediate this issue. Patch status is not explicitly stated in the vendor advisory, but the fix is included in version 5.6.0. Until upgraded, restrict authenticated control panel access to trusted users only.