| Title | WebStack-Guns Project WebStack-Guns 1.0 SQL Injection |
|---|
| Description | WebStack-Guns 1.0 fails to sanitize the sort parameter used for server-side table ordering in the log administration endpoints. The value is passed directly into MyBatis ${} substitutions, allowing authenticated users (including deployments that reuse default admin credentials) to inject arbitrary SQL into the underlying MySQL database, resulting in data disclosure, tampering, and potential availability impact. |
|---|
| Source | ⚠️ https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-SQLInjection-1/report.md |
|---|
| User | sh7err04 (UID 92493) |
|---|
| Submission | 11/10/2025 12:51 (7 months ago) |
|---|
| Moderation | 11/30/2025 18:05 (20 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 333821 [jsnjfz WebStack-Guns 1.0 PageFactory.java sort sql injection] |
|---|
| Points | 20 |
|---|