R1Ch4Rd_L

Name of the Vulnerable Software and Affected Versions: Fanwei e-cology versions 8.0 and prior Description: A SQL injection issue exists, allowing unauthenticated attackers to execute arbitrary SQL queries via the "getdata.jsp" endpoint. The application passes unsanitized user input from the `sql` parameter into a database query within the `getSelectAllIds(sql, type)` method, which is reachable through the `cmd=getSelectAllId` workflow in the AjaxManager. This could potentially expose sensitive data, such as administrator password hashes. Recommendations: For Fanwei e-cology versions 8.0 and prior, consider disabling the `getSelectAllIds(sql, type)` method or restricting access to the "getdata.jsp" endpoint until a patch is available. Additionally, avoid using the `sql` parameter in the affected endpoint to minimize the risk of exploitation.