| Title | https://github.com/FeMiner/wms Enterprise Warehouse Management System V1.0 SQL Injection |
|---|
| Description | In the basic organizational structure module of this office management system, a high-risk SQL injection vulnerability exists in the background processing file depart_add_bg.php located at the server path \src\basic\depart\depart_add_bg.php. The core cause of this vulnerability is that when writing database interaction code for the department addition function, developers failed to perform strict input validation, special character escaping, or parameterized query processing on key parameters passed from the front end (such as department name, parent department ID, department manager number, department permission identifier, etc.), and directly spliced user-controllable input content into native SQL query statements.
Attackers can exploit this vulnerability by constructing request parameters containing malicious instructions (e.g., inserting SQL statement fragments into the department name input box) and injecting them into the system's database query process: they can not only illegally query and steal sensitive data stored in the system (including full department structure information, employee identity data, permission configuration tables, enterprise core business association information, etc.) but also tamper with department data in the database (such as forging fake departments, modifying department affiliation relationships, elevating the department permissions of ordinary accounts). Furthermore, attackers can perform database privilege escalation through SQL injection to obtain administrative rights to the database server, ultimately leading to tampering of the entire office management system's organizational structure data, leakage of core sensitive information, chaos in the enterprise's internal management system, and potentially triggering serious security incidents such as data compliance violations and leakage of trade secrets. |
|---|
| Source | ⚠️ https://github.com/yuan384/cve/issues/3 |
|---|
| User | yuan384 (UID 95948) |
|---|
| Submission | 02/27/2026 09:14 (1 month ago) |
|---|
| Moderation | 03/11/2026 14:49 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 350404 [FeMiner wms up to 1.0 Basic Organizational Structure depart_add_bg.php Name sql injection] |
|---|
| Points | 20 |
|---|