| Titre | liyupi yu-picture <= 0.0.1-SNAPSHOT SQL Injection |
|---|
| Description | yu-picture is an enterprise-level image sharing platform based on Vue 3 + Spring Boot + MyBatis-Plus. Multiple pagination query endpoints (POST /api/picture/list/page/vo, POST /api/space/list/page/vo) are accessible without authentication and accept a user-controlled sortField parameter that is directly concatenated into the SQL ORDER BY clause via MyBatis-Plus orderBy() method without any validation or parameterization. An unauthenticated remote attacker can exploit this time-based blind SQL injection to extract arbitrary data from the database, including user credentials and admin passwords. The vulnerability exists in PictureServiceImpl.java (L336), SpaceServiceImpl.java (L224), and UserServiceImpl.java (L240), all sharing the same vulnerable pattern in the PageRequest base class. |
|---|
| La source | ⚠️ https://github.com/liyupi/yu-picture/issues/4 |
|---|
| Utilisateur | anch0r (UID 96691) |
|---|
| Soumission | 07/04/2026 10:29 (il y a 21 jours) |
|---|
| Modérer | 26/04/2026 03:19 (19 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 359633 [liyupi yu-picture MyBatis-Plus PictureServiceImpl.java PageRequest sortField injection SQL] |
|---|
| Points | 20 |
|---|