Primary

Context

zj1983 zz SQL Injection Vulnerability in UserLoginJson Endpoint

Vulnerability

A critical SQL injection vulnerability has been identified in zj1983 zz versions through 2024-8. The issue resides in the GetDBUser function within ZorgAction.java. The vulnerability allows for remote exploitation by manipulating the user_id parameter, which is directly concatenated into the SQL query without proper sanitization.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the UserLoginJson endpoint with a crafted user_id parameter that includes SQL injection payloads. The SQL injection can be verified using a tool like sqlmap, which can automate the process of detecting and exploiting SQL injection vulnerabilities.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

zj1983 zz SQL Injection Vulnerability in UserLoginJson Endpoint

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating