CVE-2021-46385

Name of the Vulnerable Software and Affected Versions Mingsoft MCMS versions 5.2.5 and earlier

Description The issue allows an attacker to obtain sensitive information from the database through a SQL injection vulnerability. The component net.mingsoft.mdiy.action.FormDataAction#queryData is affected, and the attack vector involves using 0 or sleep(3). This vulnerability can be exploited remotely.

Recommendations For versions 5.2.5 and earlier, as a temporary workaround, consider restricting access to the /querydata endpoint until a patch is available. Additionally, avoid using the queryData function in the net.mingsoft.mdiy.action.FormDataAction component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.