JeecgBoot v3.7.1 vulnerable to SQL injection via /onlDragDatasetHead/getTotalData
CVE-2024-48307

9.8CRITICAL

Key Information:

Vendor: Jeecg
Status: Jeecg Boot
Vendor: CVE Published:; 31 October 2024

What is CVE-2024-48307?

A SQL injection vulnerability has been identified in JeecgBoot version 3.7.1, allowing attackers to execute unauthorized SQL statements through the /onlDragDatasetHead/getTotalData endpoint. This security flaw could lead to data leakage or manipulation, necessitating immediate attention and remediation to protect sensitive information.

References

https://github.com/jeecgboot

https://github.com/jeecgboot/JeecgBoot

https://github.com/jeecgboot/JeecgBoot/issues/7237

EPSS Score

92% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 31, 2024

CVE-2024-48307 Data

JSON