| Titel | JFinalOA has sql injection |
|---|
| Beschreibung | The product from https://gitee.com/glorylion/JFinalOA.
The vulnerability is in src/main/java/com/pointlion/mvc/common/model/SysOrg.java.
Code:
String sql = "select * from sys_org m where m.parent_id='"+id+"' ";
if(StrKit.notBlank(type)){
sql = sql + " and m.type='"+type+"' ";
}
sql = sql + " order by m.sort";
return SysOrg.dao.find(sql);
The attacker can use the SQL injection vulnerability to obtain database information.
url:/admin/sys/org/getOrgTree?orgid=xxx
|
|---|
| Quelle | ⚠️ https://github.com/skisw/Vul/blob/main/vuloa |
|---|
| Benutzer | amazingday (UID 40512) |
|---|
| Einreichung | 09.02.2023 07:43 (vor 3 Jahren) |
|---|
| Moderieren | 09.02.2023 11:59 (4 hours later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 220469 [glorylion JFinalOA 1.0.2 SysOrg.java ID SQL Injection] |
|---|
| Punkte | 20 |
|---|