You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Recently, our team found a security vulnerability in the latest version of the project, which has led to the risk of SQL injection, potentially causing severe information leakage. The vulnerability lies within the method: src/main/java/org/springblade/system/user/controller/UserController.java#exportUser.
Developers, while operating the SQL statement through : the src/main/java/org/springblade/system/user/mapper/UserMapper.java#exportUsermethod, directly concatenated the input "ew" parameter to the SQL statement "SELECT id, tenant_id, account, name, real_name, email, phone, birthday, role_id, dept_id, post_id FROM blade_user ${ew.customSqlSegment}" using the " ${ew.customSqlSegment}" syntax. This means that attackers could control the "ew" parameter to execute SQL injection attacks.
The text was updated successfully, but these errors were encountered:
Recently, our team found a security vulnerability in the latest version of the project, which has led to the risk of SQL injection, potentially causing severe information leakage. The vulnerability lies within the method: src/main/java/org/springblade/system/user/controller/UserController.java#exportUser.
Developers, while operating the SQL statement through : the src/main/java/org/springblade/system/user/mapper/UserMapper.java#exportUsermethod, directly concatenated the input "ew" parameter to the SQL statement "SELECT id, tenant_id, account, name, real_name, email, phone, birthday, role_id, dept_id, post_id FROM blade_user ${ew.customSqlSegment}" using the " ${ew.customSqlSegment}" syntax. This means that attackers could control the "ew" parameter to execute SQL injection attacks.
The text was updated successfully, but these errors were encountered: