Seeyon Zhiyuan Interconnect FE Collaborative Office Platform SQL Injection Vulnerability in security_addUser.jsp

A critical SQL injection vulnerability has been identified in the Seeyon Zhiyuan Interconnect FE Collaborative Office Platform, affecting versions prior to 20250224. The vulnerability resides in the security/addUser.jsp file, where the groupId parameter is not properly sanitized. This oversight allows remote attackers to inject malicious SQL commands, potentially leading to the unauthorized disclosure of sensitive database information, such as user credentials and system configurations. In some cases, the exploited database user has system administrator privileges, amplifying the risk.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries to extract, modify, or delete database information. In verified cases, the vulnerability was exploited with the database user having system administrator privileges, indicating a high risk.

Reproduction

The vulnerability can be reproduced by sending a request to the security/addUser.jsp interface with a crafted groupId parameter that includes SQL injection payloads. This can be automated using sqlmap, a popular SQL injection exploitation tool, by targeting the same URL with the injection payloads.

Remediation

It is recommended to implement input validation to filter special characters and enforce strict type checks for the groupId parameter. Additionally, using prepared statements for database queries can mitigate the risk of SQL injection. Reducing the privileges of database accounts used by the application, especially avoiding high-privilege accounts like 'sa', is also advised. Users should contact Seeyon Zhiyuan Interconnect for security updates or temporary fixes.