CVE-2021-38239

Name of the Vulnerable Software and Affected Versions dataease versions prior to 1.2.0

Description The issue allows attackers to gain sensitive information via the orders parameter to the "/api/sys msg/list/1/10" API endpoint. This is a SQL Injection vulnerability.

Recommendations For versions prior to 1.2.0, update to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/sys msg/list/1/10" API endpoint to minimize the risk of exploitation. Avoid using the orders parameter in the affected API endpoint until the issue is resolved.