Unauthenticated HQL Injection Vulnerability in Landray OA Software
CVE-2024-58352
Key Information:
- Vendor
- CVE Published:
- 2 July 2026
Badges
What is CVE-2024-58352?
Landray OA is affected by a serious unauthenticated HQL injection vulnerability, which enables attackers to manipulate the system's database queries by injecting harmful HQL syntax via the uid POST parameter of the wechatLoginHelper.do endpoint. This vulnerability stems from a failure to adequately sanitize inputs, allowing unauthorized users to extract sensitive information, including administrator password hashes. Moreover, if attackers possess sufficient database privileges, they can exploit this flaw to perform file-write operations, potentially leading to remote code execution. The initial evidence of exploitation was documented by the Shadowserver Foundation on March 11, 2024.
Affected Version(s)
Landry Office Automation (OA) *
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
