| 제목 | Shenzhen DAS INTELLITECH Co., Ltd. Parking Management System 6.2.0 SQL Injection |
|---|
| 설명 | A critical security flaw has been identified in the ParkingRecord/ExportParkingRecords API endpoint of the "Parking Management System." The vulnerability stems from a complete lack of authentication (Unauthorized Access) combined with inadequate sanitization of the Value parameter within JSON payloads, resulting in a high-impact SQL Injection.
A remote, unauthenticated attacker can exploit this vulnerability by submitting a specially crafted POST request without any valid credentials. Successful exploitation allows the attacker to bypass access control to extract highly sensitive user data. Furthermore, in specific database environments, this can be escalated to Remote Code Execution (RCE) via database extensions (e.g., xp_cmdshell), leading to total system takeover. This poses a severe risk to the confidentiality, integrity, and availability of the affected infrastructure. |
|---|
| 원천 | ⚠️ https://ucn9h68n9289.feishu.cn/wiki/XW9QwcTjCixlLiklQfBcJCcYn0e?from=from_copylink |
|---|
| 사용자 | bigbrother_man (UID 96003) |
|---|
| 제출 | 2026. 04. 29. AM 04:41 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 26. AM 09:18 (27 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 365610 [Das Parking Management System 停车场管理系统 6.2.0 API Endpoint ExportParkingRecords xp_cmdshell 값 SQL 주입] |
|---|
| 포인트들 | 20 |
|---|