Jeewms v3.7 was discovered to contain a SQL injection vulnerability via the CgReportController API.
An attacker can submit a crafted HTTP request to the CgReportController API endpoint by injecting malicious SQL code. The lack of proper validation or parameterization of input data causes the injected code to be directly interpreted by the database engine. The attack does not require having an account in the system or user interaction, and it can be carried out remotely over the network.
An attacker can gain unauthorized access to sensitive data stored in the database, modify or delete data, and depending on the database server configuration—potentially take control of the system. The vulnerability threatens the confidentiality, integrity, and availability of the system.
Patches available from the vendor should be applied according to the references. As a temporary measure, it is recommended to restrict network access to the CgReportController API interface and monitor logs for suspicious SQL queries.
Jeewms v3.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJeewms
APPJeewms3.7
Related vulnerabilities
JeeWMS — pominięcie uwierzytelnienia umożliwiające odczyt plików
Eskalacja uprawnień przez path traversal w Jeewms (AuthInterceptor)
JeeWMS before v2025.01.01 was discovered to contain a permission bypass in the component /interceptors/AuthInt...
Directory Traversal vulnerability in Jeewms v.3.7 and before allows a remote attacker to obtain sensitive info...
A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality ...