| タイトル | https://github.com/jeecgboot/JeecgBoot <=3.91 SQL Injection |
|---|
| 説明 | JeecgBoot versions up to and including 3.9.1 contain a SQL injection vulnerability in the /sys/dict/loadTreeData API endpoint. The condition parameter accepts a JSON object, and the special key _tableFilterSql within that JSON object is injected directly into a MyBatis dynamic SQL statement using a ${} placeholder (string interpolation), with no sanitization, blacklist filtering, or parameterized binding applied.
An authenticated attacker with a valid JWT token (obtainable via normal user login) can craft a malicious condition._tableFilterSql value containing a UNION SELECT payload to extract arbitrary data from the database. Query results are returned directly in the JSON response body in plaintext. |
|---|
| ソース | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9571 |
|---|
| ユーザー | JD Security SHENYI Team (UID 97436) |
|---|
| 送信 | 2026年04月20日 14:16 (2 月 ago) |
|---|
| モデレーション | 2026年05月07日 18:37 (17 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 361902 [JeecgBoot 迄 3.9.1 JSON Object /sys/dict/loadTreeData condition SQLインジェクション] |
|---|
| ポイント | 20 |
|---|