| عنوان | AutohomeCorp frostmourne <= 1.0 SQL Injection |
|---|
| الوصف | Frostmourne Monitor contains a MySQL dynamic SQL injection vulnerability in the alarm preview/query flow. The metricContract.queryString value is treated as trusted SQL and is directly concatenated into backend queries without parameterization or whitelist validation. An authenticated attacker who can access the alarm preview functionality can first enumerate an available MySQL data name and then supply arbitrary SQL expressions that are executed by the server against the corresponding MySQL data source. |
|---|
| المصدر | ⚠️ https://fx4tqqfvdw4.feishu.cn/docx/M0u0dPZmZosY9Ax6OsScJ3Blnxf?from=from_copylink |
|---|
| المستخدم | xcxr (UID 86629) |
|---|
| ارسال | 19/03/2026 01:15 PM (28 أيام منذ) |
|---|
| الاعتدال | 04/04/2026 04:09 PM (16 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 355333 [AutohomeCorp frostmourne حتى 1.0 Alarm Preview previewData httpTest حقن SQL] |
|---|
| النقاط | 20 |
|---|