| Título | https://github.com/jeecgboot/JeecgBoot <=3.91 SQL Injection |
|---|
| Descrição | JeecgBoot versions up to and including 3.9.1 contain a SQL injection vulnerability in the /sys/dict/loadDict/{dictCode} API endpoint. The keyword parameter supports an [orderby:field,direction] annotation to specify result ordering. The ORDER BY field value is extracted and concatenated directly into a SQL ORDER BY clause with no parameterization.
Although a partial blacklist (specialDictSqlXssStr) is applied to the ORDER BY value, it fails to block MySQL CASE WHEN expressions, LIKE comparisons, and subquery-based boolean conditions. An authenticated attacker can inject a CASE WHEN <condition> THEN id ELSE dict_name END expression into the ORDER BY clause and infer the truth value of arbitrary SQL conditions by observing the change in result ordering — a classic boolean-based blind injection.
The vulnerability was verified to successfully extract the database name (jeecg-boot) and MySQL version (8.0.19) character-by-character using LIKE prefix enumeration. |
|---|
| Fonte | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9570 |
|---|
| Utilizador | JD Security SHENYI Team (UID 97436) |
|---|
| Submissão | 20/04/2026 14h15 (há 2 meses) |
|---|
| Moderação | 07/05/2026 18h34 (17 days later) |
|---|
| Estado | Duplicado |
|---|
| Entrada VulDB | 359948 [JeecgBoot até 3.9.1 loadDict Endpoint SqlInjectionUtil.java SqlInjectionUtil keyword Injeção SQL] |
|---|
| Pontos | 0 |
|---|