| Título | TDuckCloud tduck-platform 5.1 SQL Injection |
|---|
| Descrição | Name: TDuck Platform
Version: Community Edition v5.1
Repository: https://gitee.com/TDuckApp/tduck-platform / https://github.com/TDuckCloud/tduck-platform
A SQL injection vulnerability exists in TDuck Platform version 5.1 (Community Edition) in the /user/form/data/download/file endpoint via the formKey parameter. The vulnerable parameter is directly concatenated into a SQL statement without proper sanitization or parameterization, leading to arbitrary SQL execution.
The vulnerability can be exploited by authenticated users.
Full technical details and a proof of concept (PoC) are available at:
https://github.com/kaixliu56/public_vulns/blob/main/TDuck-sqli.md |
|---|
| Fonte | ⚠️ https://github.com/kaixliu56/public_vulns/blob/main/TDuck-sqli.md |
|---|
| Utilizador | 0xc00005 (UID 87052) |
|---|
| Submissão | 13/07/2025 05h34 (há 12 meses) |
|---|
| Moderação | 19/07/2025 12h44 (6 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 317003 [TDuckCloud tduck-platform 5.1 UserFormDataMapper.java UserFormDataMapper formKey Injeção SQL] |
|---|
| Pontos | 20 |
|---|