| 제목 | 美特软件 MetaCRM 6.4.2 SQL Injection |
|---|
| 설명 | MetaCRM6 is an enterprise-level customer relationship management system developed by Beijing Metasoft Technology Co., Ltd. Launched in December 2009, it targets medium and large enterprises, offering intelligent, platform-based CRM solutions. Key features include 360° customer profile management, full sales cycle support, multi-organization management, efficient delivery processes, and integration with ERP/PLM/MES. It serves over 40 sectors like smart manufacturing and medical equipment, with a mobile app for iPad.
However,The mcc_login.jsp interface in MetaCRM6 is vulnerable to SQL injection
A SQL injection sink point has been identified through global search, specifically at a parameter concatenation location.
Upon examining the "getArray "method in the "com.metasoft.framework.db.DBManager" class, it was found that parameters are directly concatenated into the SQL statement without any filtering or sanitization before execution.
This oversight leads to a SQL injection vulnerability exploitable via the front end.
|
|---|
| 원천 | ⚠️ https://github.com/FightingLzn9/vul/blob/main/MetaCRM6-SQLI-1.md |
|---|
| 사용자 | nu11 (UID 81380) |
|---|
| 제출 | 2025. 07. 08. AM 05:11 (12 개월 ago) |
|---|
| 모더레이션 | 2025. 07. 19. AM 09:15 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 316987 [Metasoft 美特软件 MetaCRM 까지 6.4.2 mcc_login.jsp workerid SQL 주입] |
|---|
| 포인트들 | 20 |
|---|