CVE-2024-3039

Name of the Vulnerable Software and Affected Versions Shanghai Brad Technology BladeX version 3.4.0

Description A critical vulnerability has been found in the API component of Shanghai Brad Technology BladeX, specifically affecting an unknown function of the file /api/blade-user/export-user. The issue allows for SQL injection through the manipulation of input, such as updatexml(1,concat(0x3f,md5(123456),0x3f),1)=1, which can be exploited remotely. The vendor was contacted about this disclosure but did not respond.

Recommendations For Shanghai Brad Technology BladeX version 3.4.0, restrict API access to the /api/blade-user/export-user endpoint and review SQL query sanitization to prevent exploitation. As a temporary workaround, consider disabling the affected API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.