Submit #101935: There is a sql injection vulnerability in the crmeb_java system /api/admin/store/product/list interface
| Title | There is a sql injection vulnerability in the crmeb_java system /api/admin/store/product/list interface |
|---|---|
| Description | [Suggested description] sql injection vulnerability exists in crmeb_java <=1.3.4 Failure to check the parameters legally leads to sqli. [Vulnerability Type] SQLi [Vendor of Product] https://github.com/crmeb/crmeb_java [Affected Product Code Base] <=1.3.4 [Affected Component] /api/admin/store/product/list [Attack Type] Remote [Vulnerability details] Get the interface request package GET /api/admin/store/product/list?page=1&limit=20&cateId=&keywords=&type=1&temp=1678870222 HTTP/2 Host: api.java.crmeb.net Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" Accept: application/json, text/plain, / Authori-Zation: 213ff6ff1ca24ae78f8263bd7ad0ea6c Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://admin.java.crmeb.net Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://admin.java.crmeb.net/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 The cateId parameter has an injection vulnerability. |
| Source | ⚠️ https:/ |
| User | Mechoy (ID 41579) |
| Submission | 03/15/2023 11:39 (1 Year ago) |
| Moderation | 03/23/2023 19:36 (8 days later) |
| Accepted | Accepted |
| VulDB Entry | VDB-223738 |