CVE-2023-26813

Name of the Vulnerable Software and Affected Versions wangmarket CMS version 4.10

Description The issue allows remote attackers to run arbitrary SQL commands via the TableName parameter to the "/plugin/dataDictionary/tableView.do" API endpoint. This enables attackers to manipulate database queries, potentially leading to unauthorized data access or modification.

Recommendations For wangmarket CMS version 4.10, consider disabling the DataDictionaryPluginController function until a patch is available to prevent exploitation of the SQL injection vulnerability. Restrict access to the "/plugin/dataDictionary/tableView.do" API endpoint to minimize the risk of exploitation. Avoid using the TableName parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.