| عنوان | JFinalOA has sql injection |
|---|
| الوصف | The product from https://gitee.com/glorylion/JFinalOA.
The vulnerability is in src/main/java/com/pointlion/mvc/common/model/SysOrg.java.
Code:
String sql = "select * from sys_org m where m.parent_id='"+id+"' ";
if(StrKit.notBlank(type)){
sql = sql + " and m.type='"+type+"' ";
}
sql = sql + " order by m.sort";
return SysOrg.dao.find(sql);
The attacker can use the SQL injection vulnerability to obtain database information.
url:/admin/sys/org/getOrgTree?orgid=xxx
|
|---|
| المصدر | ⚠️ https://github.com/skisw/Vul/blob/main/vuloa |
|---|
| المستخدم | amazingday (UID 40512) |
|---|
| ارسال | 09/02/2023 07:43 AM (3 سنوات منذ) |
|---|
| الاعتدال | 09/02/2023 11:59 AM (4 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 220469 [glorylion JFinalOA 1.0.2 SysOrg.java معرف حقن SQL] |
|---|
| النقاط | 20 |
|---|