Juicy

Name of the Vulnerable Software and Affected Versions: J2eeFAST version 2.2.1 Description: The issue allows remote attackers to perform SQL injection attacks. This is possible via the `compId` parameter to "fast/sys/user/list", the `deptId` parameter to "fast/sys/role/list", or the `roleId` parameter to "fast/sys/role/authUser/list". The vulnerability is related to the use of ${} to join SQL statements. Recommendations: For J2eeFAST version 2.2.1, consider restricting access to the "fast/sys/user/list", "fast/sys/role/list", and "fast/sys/role/authUser/list" API endpoints to minimize the risk of exploitation. Avoid using the `compId`, `deptId`, and `roleId` parameters in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.