| Title | DataGear queryOrder parameter has SQL injection |
|---|
| Description | DataGear is an open source and free data visualization and analysis platform, free to create any data dashboard you want, and supports access to various data sources such as SQL, CSV, Excel, HTTP interface, and JSON. Before version 4.5.1, the system did not strictly filter the queryOrder parameter, resulting in SQL injection.The interfaces that can be directly used by the front desk include /analysisProject/pagingQueryData, /dataSet/pagingQueryData, /chart/pagingQueryData |
|---|
| Source | ⚠️ https://github.com/yangyanglo/ForCVE/blob/main/2023-0x01.md |
|---|
| User | yangyanglo (UID 43465) |
|---|
| Submission | 03/21/2023 16:39 (3 years ago) |
|---|
| Moderation | 03/22/2023 12:10 (20 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 223563 [DataGear up to 4.5.0 pagingQueryData queryOrder sql injection] |
|---|
| Points | 20 |
|---|