Spoofer

**Name of the Vulnerable Software and Affected Versions** Shanghai Brad Technology BladeX version 3.4.0 **Description** A critical vulnerability has been found in the API component of Shanghai Brad Technology BladeX, specifically affecting an unknown function of the file /api/blade-user/export-user. The issue allows for SQL injection through the manipulation of input, such as `updatexml(1,concat(0x3f,md5(123456),0x3f),1)=1`, which can be exploited remotely. The vendor was contacted about this disclosure but did not respond. **Recommendations** For Shanghai Brad Technology BladeX version 3.4.0, restrict API access to the `/api/blade-user/export-user` endpoint and review SQL query sanitization to prevent exploitation. As a temporary workaround, consider disabling the affected API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.