| Titel | Yonyou KSOA v9.0 SQL Injection |
|---|
| Beschreibung | A SQL injection vulnerability exists in the Yonyou Space-Time KSOA Platform v9.0. The vulnerability is located in the `/worksheet/work_report.jsp` file. The application accepts untrusted input via the `id` HTTP GET parameter and directly concatenates it into a backend SQL query without proper validation or parameterization. This allows an **unauthenticated remote attacker** to inject malicious SQL commands, leading to potential data leakage, unauthorized database access, or server manipulation. The backend database appears to be Microsoft SQL Server. |
|---|
| Quelle | ⚠️ https://github.com/LX-66-LX/cve/issues/10 |
|---|
| Benutzer | LX-66-LX (UID 92717) |
|---|
| Einreichung | 08.01.2026 15:56 (vor 4 Monaten) |
|---|
| Moderieren | 17.01.2026 19:16 (9 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 341716 [Yonyou KSOA 9.0 HTTP GET Parameter work_report.jsp ID SQL Injection] |
|---|
| Punkte | 20 |
|---|