| Titre | Hunan Zhonghe Baiyi Information Technology Co., Ltd. Baiyi Cloud Asset Management System /wuser/admin.ticket.close.php SQL Injection |
|---|
| Description | The /wuser/admin.ticket.close.php interface of the Baiyi Cloud Asset Management System contains a Time-Based Blind SQL Injection vulnerability. Attackers can exploit this vulnerability by constructing a malicious ticket_id parameter, leveraging the SLEEP() function to induce database operation delays, bypass security mechanisms, and extract sensitive data (such as database names and table structures). This vulnerability can be exploited without authentication and affects multiple asset instances. Verified target addresses include http://x.x.x.x, http://x.x.x.x, among others.
Sensitive Data Exposure: Attackers can exfiltrate user information, ticket records, system configurations, and other critical data.
Privilege Escalation: By leveraging SQL injection, attackers may escalate privileges and gain full control over the server.
Service Disruption: Malicious injections may corrupt database integrity, leading to application downtime.
Legal and Compliance Risks: Data breaches may violate cybersecurity laws such as GDPR, leading to legal repercussions. |
|---|
| La source | ⚠️ https://github.com/sekaino-sakura/CVE/blob/main/CVE_2.md |
|---|
| Utilisateur | sekainosakura (UID 81280) |
|---|
| Soumission | 08/02/2025 13:52 (il y a 1 Année) |
|---|
| Modérer | 21/02/2025 07:56 (13 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 296475 [Baiyi Cloud Asset Management System 8.142.100.161 admin.ticket.close.php ticket_id injection SQL] |
|---|
| Points | 20 |
|---|