JeecgBoot SQL Injection Vulnerability in TotalData Component

A SQL injection vulnerability has been identified in JeecgBoot version 3.7.2, developed by Beijing Guoju Information Technology Co., Ltd. This vulnerability allows remote attackers to access sensitive information through the getTotalData component. Although this version includes some validation measures, they can be bypassed, leaving the application susceptible to injection attacks.

Impact

Exploitation of this vulnerability allows for unauthorized SQL injection, which could be used to manipulate database queries and access or modify sensitive information.

Reproduction

To reproduce this vulnerability, send a POST request to the '/jeecg-boot/drag/onlDragDatasetHead/getTotalData' endpoint. Include a JSON payload that specifies the 'tableName', 'compName', and 'condition'. The 'name' field can be crafted to include SQL injection payloads, taking advantage of the inadequate input validation.