Jeewms SQL Injection Vulnerability in CgReportController API
Vulnerability
A SQL injection vulnerability has been identified in Jeewms version 3.7, specifically within the CgReportController API. The issue arises from improper validation of parameters in the 'datagrid' method of the CgReportController, allowing unauthorized attackers to manipulate SQL queries and access sensitive data.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a POST request to the 'cgReportController.do' endpoint with the 'configId' parameter set to 'jckcs'. Include a crafted 'begin_date' value that exploits the SQL injection flaw, such as a UNION SELECT payload that retrieves database information. The request must also include a valid JSESSIONID cookie to simulate an authenticated session.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.