liujianview gymxmjpa SQL Injection Vulnerability in Equipment Controller
Vulnerability
A critical SQL injection vulnerability has been identified in liujianview gymxmjpa version 1.0. The issue resides in the EquipmentDaoImpl function within the EquipmentController.java file. The vulnerability allows for remote exploitation by manipulating the hyname parameter, which is not properly sanitized before being used in SQL queries.
Impact
Exploitation of this vulnerability allows for SQL injection, which could lead to unauthorized data access or manipulation, and potentially allow for further attacks on the application or database.
Reproduction
The vulnerability can be reproduced by sending a request to the qc/query endpoint with a crafted hyname parameter that includes SQL injection payloads. The response can be used to extract database information, demonstrating the successful exploitation of the SQL injection vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.