JoeyBling Bootplus SQL Injection Vulnerability in Role Management
Vulnerability
A critical SQL injection vulnerability has been identified in JoeyBling Bootplus versions up to commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The issue arises in the role management feature, specifically within the '/admin/sys/role/list' endpoint. The vulnerability is caused by the application not properly validating the 'sort' parameter, allowing remote attackers to manipulate the input and execute arbitrary SQL commands. This exploitation could potentially lead to unauthorized data access or modification.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a request to the '/admin/sys/role/list' endpoint with a crafted 'sort' parameter that includes SQL injection payloads. The injection can be verified by extracting database information, such as the current user.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.