| शीर्षक | xianrendzw EasyReport Releases SQL Injection |
|---|
| विवरण | Project Information
Project: xianrendzw/EasyReport
Type: Stored SQL Injection
Severity: High (CVSS 7.5)
CWE: CWE-89 (SQL Injection)
Vulnerability Description
EasyReport contains a stored SQL injection where report parameters are stored via MyBatis and later used in SQL concatenation without parameterization.
Data Flow
REST API (reportParams) → MyBatis → SQL concatenation → execute()
Write Path
REST endpoint accepts report configuration with SQL parameters
Parameters stored via MyBatis to database
Read Path
Stored report parameters retrieved during report generation
Values concatenated into SQL strings via MyBatis ${} syntax or Java string concatenation
SQL executed without parameterization |
|---|
| स्रोत | ⚠️ https://github.com/Ku4D3/bug_story/blob/main/report_10.md |
|---|
| उपयोगकर्ता | Ku4D3 (UID 97639) |
|---|
| सबमिशन | 28/04/2026 04:50 AM (1 महीना पहले) |
|---|
| संयम | 25/05/2026 09:28 PM (28 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 365543 [xianrendzw EasyReport तक 2.0.17.0522_Beta REST Endpoint execute reportParams SQL इंजेक्शन] |
|---|
| अंक | 20 |
|---|