| Название | xianrendzw EasyReport Releases SQL Injection |
|---|
| Описание | Project Information
Project: xianrendzw/EasyReport
Type: Stored SQL Injection
Severity: High (CVSS 7.5)
CWE: CWE-89 (SQL Injection)
Vulnerability Description
EasyReport contains a stored SQL injection where report parameters are stored via MyBatis and later used in SQL concatenation without parameterization.
Data Flow
REST API (reportParams) → MyBatis → SQL concatenation → execute()
Write Path
REST endpoint accepts report configuration with SQL parameters
Parameters stored via MyBatis to database
Read Path
Stored report parameters retrieved during report generation
Values concatenated into SQL strings via MyBatis ${} syntax or Java string concatenation
SQL executed without parameterization |
|---|
| Источник | ⚠️ https://github.com/Ku4D3/bug_story/blob/main/report_10.md |
|---|
| Пользователь | Ku4D3 (UID 97639) |
|---|
| Представление | 28.04.2026 04:50 (1 месяц назад) |
|---|
| Модерация | 25.05.2026 21:28 (28 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 365543 [xianrendzw EasyReport до 2.0.17.0522_Beta REST Endpoint execute reportParams SQL-инъекция] |
|---|
| Баллы | 20 |
|---|