Xiongwei Smart Catering Cloud Platform SQL Injection Vulnerability in dish_trade_detail_get Interface
Vulnerability
A SQL injection vulnerability has been identified in the Xiongwei Smart Catering Cloud Platform version 2.1.6446.28761. The issue arises in the dish_trade_detail_get interface, where the filter parameter can be manipulated to execute SQL injection attacks. This vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a GET request to the dish_trade_detail_get interface with a crafted filter parameter that includes SQL injection payloads. The injection can be verified by using payloads that, for example, attempt to manipulate the SQL query execution, such as those that use UNION SELECT to extract database information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.