Yonyou U8 Cloud SQL Injection Vulnerability in AppServletService.class
Vulnerability
A SQL injection vulnerability has been identified in Yonyou U8 Cloud versions 5.0, 5.0sp, 5.1, and 5.1sp. The issue arises in the file nc/pubitf/erm/mobile/appservice/AppServletService.class, where the usercode parameter is not properly sanitized, allowing for malicious SQL code to be injected. This vulnerability can be exploited remotely, and a public exploit is available.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries to execute arbitrary SQL commands. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a request to the AppServletService.class file with a crafted usercode parameter that includes SQL injection payloads. The application will process the input without proper validation, allowing the injected SQL code to be executed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.