| Titolo | TDuckCloud tduck-platform 5.1 SQL Injection |
|---|
| Descrizione | Name: TDuck Platform
Version: Community Edition v5.1
Repository: https://gitee.com/TDuckApp/tduck-platform / https://github.com/TDuckCloud/tduck-platform
A SQL injection vulnerability exists in TDuck Platform version 5.1 (Community Edition) in the /user/form/data/download/file endpoint via the formKey parameter. The vulnerable parameter is directly concatenated into a SQL statement without proper sanitization or parameterization, leading to arbitrary SQL execution.
The vulnerability can be exploited by authenticated users.
Full technical details and a proof of concept (PoC) are available at:
https://github.com/kaixliu56/public_vulns/blob/main/TDuck-sqli.md |
|---|
| Fonte | ⚠️ https://github.com/kaixliu56/public_vulns/blob/main/TDuck-sqli.md |
|---|
| Utente | 0xc00005 (UID 87052) |
|---|
| Sottomissione | 13/07/2025 05:34 (12 mesi fa) |
|---|
| Moderazione | 19/07/2025 12:44 (6 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 317003 [TDuckCloud tduck-platform 5.1 UserFormDataMapper.java UserFormDataMapper formKey iniezione SQL] |
|---|
| Punti | 20 |
|---|