Golden Link Secondary System SQL Injection Vulnerability in QueryTsDictionaryType Interface
Vulnerability
A critical SQL injection vulnerability has been identified in the Golden Link Secondary System, affecting versions prior to 20250424. The issue arises in an unknown function of the file '/paraframework/queryTsDictionaryType.htm', where the argument 'dictCn1' can be manipulated to inject malicious SQL. This vulnerability can be exploited remotely, and the details have been publicly disclosed along with a proof-of-concept exploit.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, send a request to the 'queryTsDictionaryType.htm' endpoint with a crafted 'dictCn1' parameter that includes SQL injection payloads. The injection point can be verified by observing the application's response for signs of SQL query manipulation, such as database errors or unexpected data.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.