| Title | Shenzhen Ruiming Technology Co., Ltd. Streamax Crocus O&M Platform 1.3.44 SQL Injection |
|---|
| Description | A critical SQL injection vulnerability was identified in the /OperateStatistic.do endpoint of the Streamax Crocus O&M Platform by Shenzhen Ruiming Technology. The vulnerability resides in the VehicleID parameter due to insufficient input validation.
Crucially, this endpoint is accessible to unauthenticated remote users. By injecting malicious time-based blind SQL payloads (e.g., utilizing BENCHMARK or SHA1 functions), an attacker can:
1. Exfiltrate Sensitive Data: Gain full unauthorized access to the saffron database, compromising vehicle tracking data and system credentials.
2. Trigger Denial of Service (DoS): Exhaust server CPU resources by executing resource-heavy SQL queries, leading to a complete system shutdown.
3. Exploit Without Barriers: Since no authentication or user interaction is required, the vulnerability poses a maximum risk to the confidentiality, integrity, and availability of the platform. |
|---|
| Source | ⚠️ https://my.feishu.cn/docx/GvP3d9xnYoK9zWx1yI6cf9J9nRe?from=from_copylink |
|---|
| User | Anonymous User |
|---|
| Submission | 03/12/2026 09:05 (24 days ago) |
|---|
| Moderation | 03/27/2026 15:35 (15 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 353143 [Shenzhen Ruiming Technology Streamax Crocus 1.3.44 /OperateStatistic.do VehicleID sql injection] |
|---|
| Points | 0 |
|---|