CRITICAL🇵🇱 Wersja polska

CVE-2024-48307

CVSS 9.8v3.1pub. 2024-10-31upd. 2025-06-27

JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData.

🤖 AI Analysis
How it works

The vulnerability results from a lack of proper validation and sanitization of input data passed to the /onlDragDatasetHead/getTotalData component. An attacker can inject malicious SQL code directly into the query executed by the application. Due to the network vector (AV:N) and lack of authentication requirements (PR:N) and user interaction (UI:N), the exploit can be executed remotely by anyone with access to the application.

Impact

An attacker can gain unauthorized access to sensitive data in the database, modify or delete its contents, and in certain database server configurations potentially take control of the system (RCE).

Mitigation & patch

Apply patches available from the vendor according to the references. It is recommended to monitor the project repository at https://github.com/jeecgboot/JeecgBoot for the latest fix. As a temporary measure, consider restricting access to the vulnerable endpoint at the firewall or reverse proxy level.

Who is affected

JeecgBoot version 3.7.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jeecg Boot

    APP
    Jeecg
    3.7.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2024-43028CRITICAL9.8PL ✓ten sam produkt

Command injection w Jeecg Boot — zdalne wykonanie kodu przez /jmreport/show

CVE-2024-40489CRITICAL9.8PL ✓ten sam produkt

Injection/RCE w Jeecg Boot 3.0.0–3.5.3 przez niedostateczne filtrowanie znaków

CVE-2023-41543CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych

CVE-2023-41542CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych

CVE-2023-41544CRITICAL9.8PL ✓ten sam produkt

RCE poprzez SSTI injection w Jeecg Boot — komponent /jmreport/loadTableData