CVE-2024-8155

Name of the Vulnerable Software and Affected Versions: ContiNew Admin version 3.2.0

Description: A critical vulnerability was found in ContiNew Admin, affecting the function top.continew.starter.extension.crud.controller.BaseController#tree of the file "/api/system/dept/tree?sort=parentId%2Casc&sort=sort%2Casc". The manipulation of the sort argument leads to SQL injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Recommendations: For ContiNew Admin version 3.2.0, upgrade to version 3.2.1 immediately to mitigate risks. As a temporary workaround, consider restricting access to the vulnerable API endpoint "/api/system/dept/tree" until the issue is resolved. Avoid using the sort argument in the affected API endpoint until the issue is resolved.