Enviar #758328: z-9527 admin ≤ commit 72aaf2d SQL Injectioninformación

Títuloz-9527 admin ≤ commit 72aaf2d SQL Injection
DescripciónA SQL injection vulnerability exists in Z-9527 Admin ≤ commit 72aaf2d at the /user/getUser endpoint, where the username query parameter is concatenated directly into a SQL statement without sanitization or parameterization. As a result, authenticated attackers can perform UNION-based SQL injection attacks, bypass the original query logic, and retrieve sensitive information from the database. The leaked data is reflected directly in the JSON response fields. Mitigations include replacing string concatenation with parameterized queries or prepared statements, implementing strict input validation and sanitization for all user-supplied parameters, applying the principle of least privilege to database connections, deploying web application firewalls with SQL injection detection rules, and conducting comprehensive security audits of all database query construction patterns across the codebase.
Fuente⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/z9527-admin/vulnerability-4
Usuario
 Anonymous User
Sumisión2026-02-14 14:48 (hace 2 meses)
Moderación2026-02-25 15:04 (11 days later)
EstadoDuplicado
Entrada de VulDB347772 [z-9527 admin 1.0/2.0 user.js checkName/register/login/getUser/getUsers inyección SQL]
Puntos0

AnteriorVisión De ConjuntoPróximo

Do you know our Splunk app?

Download it now for free!