Отправить #758326: z-9527 admin ≤ commit 72aaf2d SQL InjectionИнформация

Название	z-9527 admin ≤ commit 72aaf2d SQL Injection
Описание	A SQL blind injection vulnerability exists in Z-9527 Admin ≤ commit 72aaf2d at the /user/register endpoint, where the username field in the request body is concatenated directly into a SQL statement without sanitization or parameterization. As a result, unauthenticated attackers can inject malicious SQL payloads using time-based blind-injection techniques to infer sensitive database information character-by-character through response-time analysis. This enables complete database enumeration, credential extraction, and potential privilege escalation. Mitigations include immediately replacing string concatenation with parameterized queries or prepared statements, implementing strict input validation and sanitization for all user-supplied parameters, applying the principle of least privilege to database connections, deploying web application firewalls with SQL injection detection rules, and conducting comprehensive security audits of all database query construction patterns across the codebase.
Источник	⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/z9527-admin/vulnerability-2
Пользователь	Anonymous User
Представление	14.02.2026 14:47 (2 месяцы назад)
Модерация	25.02.2026 15:04 (11 days later)
Статус	Дубликат
Запись VulDB	347772 [z-9527 admin 1.0/2.0 user.js checkName/register/login/getUser/getUsers SQL-инъекция]
Баллы	0

◂ Предыдущий Обзор Далее ▸

Do you need the next level of professionalism?

Upgrade your account now!