| Titre | xianrendzw EasyReport Releases SQL Injection |
|---|
| Description | Project Information
Project: xianrendzw/EasyReport
Type: Stored SQL Injection
Severity: High (CVSS 7.5)
CWE: CWE-89 (SQL Injection)
Vulnerability Description
EasyReport contains a stored SQL injection where report parameters are stored via MyBatis and later used in SQL concatenation without parameterization.
Data Flow
REST API (reportParams) → MyBatis → SQL concatenation → execute()
Write Path
REST endpoint accepts report configuration with SQL parameters
Parameters stored via MyBatis to database
Read Path
Stored report parameters retrieved during report generation
Values concatenated into SQL strings via MyBatis ${} syntax or Java string concatenation
SQL executed without parameterization |
|---|
| La source | ⚠️ https://github.com/Ku4D3/bug_story/blob/main/report_10.md |
|---|
| Utilisateur | Ku4D3 (UID 97639) |
|---|
| Soumission | 28/04/2026 04:50 (il y a 1 mois) |
|---|
| Modérer | 25/05/2026 21:28 (28 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 365543 [xianrendzw EasyReport jusqu’à 2.0.17.0522_Beta REST Endpoint execute reportParams injection SQL] |
|---|
| Points | 20 |
|---|