Joey-Zhou Xiaozhi ESP32 Server Java SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in the Joey-Zhou Xiaozhi ESP32 Server Java application, in versions up to commit a14fe8115842ee42ab5c7a51706b8a85db5200b7. The vulnerability resides in the '/api/user/update' endpoint, where improper handling of the 'state' argument allows for SQL injection. This issue can be exploited remotely, and the vulnerability has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/user/update' endpoint. Include a 'username' parameter and manipulate the 'state' parameter to inject SQL payloads. The injected SQL can be crafted to, for example, extract database information by using SQL injection techniques such as time-based blind injection.