You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Suggested description]
There is a SQL Injection vulnerability in crmeb_java <=1.3.4, caused by the param sortKey which is in ${} format and isn't strictly filtered.
[Impact Code execution]
true
[Cause of vulnerability]
The interface /api/front/store/list call the function getNearList
function getNearList will be called when inputing both latitude and longitude parameters.
The latitude and longitude parameters are used in ${} format and it will be joined to the sql string directly.
The text was updated successfully, but these errors were encountered:
[Suggested description]
There is a SQL Injection vulnerability in crmeb_java <=1.3.4, caused by the param sortKey which is in ${} format and isn't strictly filtered.
[Vulnerability Type]
SQLi
[Vendor of Product]
https://github.com/crmeb/crmeb_java
[Affected Product Code Base]
<=1.3.4
[Affected Component]
/api/front/store/list
[Attack Type]
Remote
[Vulnerability details]
[Impact Code execution]
true
[Cause of vulnerability]
The interface
/api/front/store/listcall the functiongetNearListfunction
getNearListwill be called when inputing bothlatitudeandlongitudeparameters.The
latitudeandlongitudeparameters are used in ${} format and it will be joined to the sql string directly.The text was updated successfully, but these errors were encountered: