CRITICAL🇵🇱 Wersja polska

CVE-2023-41542

CVSS 9.8v3.1pub. 2023-12-30upd. 2024-11-21

SQL injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to escalate privileges and obtain sensitive information via the jmreport/qurestSql component.

🤖 AI Analysis
How it works

The attacker sends a crafted network request to the jmreport/qurestSql endpoint, injecting malicious SQL code as part of the query. The lack of proper validation and sanitization of input data allows manipulation of queries executed by the database. As a result, both reading confidential information and escalating privileges within the application are possible.

Impact

An unauthenticated remote attacker can gain access to sensitive data stored in the database and escalate their privileges in the Jeecg Boot application.

Mitigation & patch

Apply patches available from the vendor according to the references. Additionally, it is recommended to restrict access to the jmreport/qurestSql endpoint at the firewall or WAF level until the patch is deployed.

Who is affected

Jeecg Boot version 3.5.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jeecg Boot

    APP
    Jeecg
    ≤ 3.5.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiLPE
CWE
References

Related vulnerabilities

CVE-2024-40489CRITICAL9.8PL ✓ten sam produkt

Injection/RCE w Jeecg Boot 3.0.0–3.5.3 przez niedostateczne filtrowanie znaków

CVE-2024-43028CRITICAL9.8PL ✓ten sam produkt

Command injection w Jeecg Boot — zdalne wykonanie kodu przez /jmreport/show

CVE-2024-48307CRITICAL9.8PL ✓ten sam produkt

SQL Injection w JeecgBoot przez endpoint getTotalData

CVE-2023-41544CRITICAL9.8PL ✓ten sam produkt

RCE poprzez SSTI injection w Jeecg Boot — komponent /jmreport/loadTableData

CVE-2023-41543CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych