org.jeecgframework.boot:jeecg-boot-base-core@3.0 vulnerabilities

Affected versions of this package are vulnerable to SQL Injection through the /onlDragDatasetHead/getTotalData component. An attacker can manipulate the backend database and execute arbitrary SQL commands by injecting malicious SQL code into the input parameters.

There is no fixed version for org.jeecgframework.boot:jeecg-boot-base-core.

Affected versions of this package are vulnerable to SQL Injection via the /sys/replicate/check endpoint. An attacker can escalate privileges and obtain sensitive information by injecting malicious SQL queries.

There is no fixed version for org.jeecgframework.boot:jeecg-boot-base-core.

Affected versions of this package are vulnerable to SQL Injection via the /jeecg-boot/jmreport/show component due to improper user input sanitization. An attacker can manipulate SQL queries by injecting malicious SQL code.

A fix was pushed into the master branch but not yet published.

Affected versions of this package are vulnerable to SQL Injection which allows a local attacker to cause a denial of service via the Benchmark, PG_Sleep, DBMS_Lock.Sleep, Waitfor, DECODE, and DBMS_PIPE.RECEIVE_MESSAGE functions within the "/sys/duplicate/check" API endpoint.

Upgrade org.jeecgframework.boot:jeecg-boot-base-core to version 3.5.1 or higher.

Affected versions of this package are vulnerable to SQL Injection due to improper input sanitization via the Benchmark, PG_Sleep, DBMS_Lock.Sleep, Waitfor, DECODE, and DBMS_PIPE.RECEIVE_MESSAGE functions. Exploiting this vulnerability allows a local attacker to cause a denial of service by utilizing the %09 encoding to replace space characters and leveraging the sleep() function.

Note: This vulnerability was fixed in version 3.5.1, which doesn't exist in the ecosystem.

A fix was pushed into the master branch but not yet published.

Affected versions of this package are vulnerable to SQL Injection due to improper input sanitization passed via the component queryTableDictItemsByCode at org.jeecg.modules.api.controller.SystemApiController.

A fix was pushed into the master branch but not yet published.

Affected versions of this package are vulnerable to SQL Injection in the /sys/dict/queryTableData component, whose injection protection mechanism can be bypassed with /*%0A*/.

A fix was pushed into the master branch but not yet published.

Affected versions of this package are vulnerable to Arbitrary File Upload via the file argument in the file upload component of the API.

There is no fixed version for org.jeecgframework.boot:jeecg-boot-base-core.

Affected versions of this package are vulnerable to SQL Injection via the component /sys/duplicate/check.

Upgrade org.jeecgframework.boot:jeecg-boot-base-core to version 3.4.4 or higher.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via a mouseover event in /jeecg-boot/jmreport/view.

There is no fixed version for org.jeecgframework.boot:jeecg-boot-base-core.

Affected versions of this package are vulnerable to SQL Injection that can operate the database with root privileges.

A fix was pushed into the master branch but not yet published.