| Title | Yonyou KSOA v9.0 SQL Injection |
|---|
| Description | A SQL injection vulnerability exists in the Yonyou Space-Time KSOA Platform v9.0. The vulnerability is located in the `/kmc/save_catalog.jsp` file. The application accepts untrusted input via the `catalogid` HTTP GET parameter and directly concatenates it into a backend SQL query without proper validation or parameterization. This allows an **unauthenticated remote attacker** to inject malicious SQL commands, leading to potential data leakage, unauthorized database access, or server manipulation. The backend database appears to be Microsoft SQL Server. |
|---|
| Source | ⚠️ https://github.com/LX-66-LX/cve/issues/13 |
|---|
| User | LX-66-LX (UID 92717) |
|---|
| Submission | 01/08/2026 16:15 (3 months ago) |
|---|
| Moderation | 01/18/2026 08:14 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 341721 [Yonyou KSOA 9.0 HTTP GET Parameter /kmc/save_catalog.jsp catalogid sql injection] |
|---|
| Points | 20 |
|---|