CVE-2019-3576

Name of the Vulnerable Software and Affected Versions inxedu through 2018-12-24

Description The issue allows for information disclosure due to a SQL Injection vulnerability. This can be exploited via the deleteFaveorite/ PATH INFO. The vulnerable code is located in the com.inxedu.os.edu.controller.user.UserController class, specifically in the deleteFavorite method, where the courseFavoritesService.deleteCourseFavoritesById is mishandled during the use of MyBatis. A spelling variation in an annotation is noted in UserController.java, with a @RequestMapping("/deleteFaveorite/{ids}") line.

Recommendations For inxedu through 2018-12-24, consider restricting access to the deleteFaveorite/ PATH INFO to minimize the risk of exploitation. As a temporary workaround, consider disabling the deleteFavorite method in UserController until a patch is available. Avoid using the ids parameter in the affected API endpoint until the issue is resolved.