PT-2023-12333 · Dataease · Dataease

Mia0A-Hio

Published

2023-02-15

Updated

2025-03-20

CVE-2021-38239

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions dataease versions prior to 1.2.0

Description The issue allows attackers to gain sensitive information via the orders parameter to the "/api/sys msg/list/1/10" API endpoint. This is a SQL Injection vulnerability.

Recommendations For versions prior to 1.2.0, update to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/sys msg/list/1/10" API endpoint to minimize the risk of exploitation. Avoid using the orders parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2021-38239

Affected Products

Dataease

PT-2023-12333 · Dataease · Dataease

CVE-2021-38239

Weakness Enumeration

Related Identifiers

Affected Products

References · 6