Ywoa SQL Injection Vulnerability in AddressDao.xml Component

A critical SQL injection vulnerability has been identified in the Ywoa application, affecting versions prior to 2024.07.03. The issue arises in the 'selectList' function of the 'com/cloudweb/oa/mapper/xml/AddressDao.xml' file. This vulnerability allows remote attackers to manipulate SQL queries, potentially leading to unauthorized data access or modification. The vulnerability has been publicly disclosed and is known to be exploitable.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the 'Yunwang OA-Background/address/list?orderBy' interface. The request should include input that manipulates the SQL query, taking advantage of the application's failure to properly sanitize user input before it is processed by the database.

Remediation

Users are advised to upgrade to Ywoa version 2024.07.04, which addresses this vulnerability.