| tiêu đề | Beijing Meite Software Technology Co., Ltd. MetaCRM6 <6.4.0 SQL Injection |
|---|
| Mô tả | A critical vulnerability exists in the sql.jsp endpoint of software developed by Beijing Meite Software Technology Co., Ltd. The interface fails to implement any authentication mechanisms and directly invokes the Statement.executeUpdate() method. This allows a remote, unauthenticated attacker to inject and execute arbitrary DML (e.g., UPDATE, DELETE, INSERT) and DDL statements via the sql parameter.
Despite the technical limitation of executeUpdate, an attacker can compromise the system by tampering with administrative credentials, modifying mission-critical business data, or performing a permanent Denial of Service (DoS) by clearing database tables via DELETE or TRUNCATE commands, leading to a total loss of data integrity and availability. |
|---|
| Nguồn | ⚠️ https://my.feishu.cn/docx/JttndUaPLoR88HxI1alcz1uencf?from=from_copylink |
|---|
| Người dùng | 0menc (UID 75423) |
|---|
| Đệ trình | 30/03/2026 03:49 (cách đây 21 ngày) |
|---|
| Kiểm duyệt | 19/04/2026 18:49 (21 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 358263 [Metasoft 美特软件 MetaCRM đến 6.4.0 Interface sql.jsp Statement.executeUpdate sql Tiêm SQL] |
|---|
| điểm | 20 |
|---|