Headline

CVE-2022-27360: blade-service/blade-user/src/main/java/org/springblade/system/user/mapper/UserMapper.xml · smallchill/SpringBlade - Gitee.com

SpringBlade v3.2.0 and below was discovered to contain a SQL injection vulnerability via the component customSqlSegment.

3 years ago

CVE

Open in Source

#sql #vulnerability #git #java

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">

</resultMap>

    select id,

    create\_user AS createUser,

    create\_time AS createTime,

    update\_user AS updateUser,

    update\_time AS updateTime,

    status,

    is\_deleted AS isDeleted,

    account, password, name, real\_name, email, phone, birthday, sex, role\_id, dept\_id

</sql>

    select \* from blade\_user where is\_deleted = 0

</select>

    SELECT

        \*

    FROM

        blade\_user

    WHERE

        tenant\_id = #{param1} and account = #{param2} and password = #{param3} and is\_deleted = 0

</select>

    SELECT

    role\_name

    FROM

    blade\_role

    WHERE

    id IN

        #{ids}

</foreach>

    and is\_deleted = 0

</select>

    SELECT

        role\_alias

    FROM

        blade\_role

    WHERE

        id IN

        #{ids}

</foreach>

    and is\_deleted = 0

</select>

    SELECT

        dept\_name

    FROM

        blade\_dept

    WHERE

        id IN

        #{ids}

</foreach>

    and is\_deleted = 0

</select>

    SELECT id, tenant\_id, account, name, real\_name, email, phone, birthday, role\_id, dept\_id, post\_id FROM blade\_user ${ew.customSqlSegment}

</select>

</mapper>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

2 years ago

2 years ago

2 years ago

2 years ago

2 years ago