Jizhicms SQL Injection Vulnerability in Product Editing Module

A SQL injection vulnerability has been identified in Jizhicms version 2.5.4, specifically within the product editing module. The issue arises because the application does not properly validate and escape user input sent through the 'body' parameter on the '/index.php/admins/Product/editproduct.html' endpoint. This flaw allows authenticated attackers to inject and execute arbitrary SQL commands.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. In this case, the SQL injection could be used to execute SQL functions such as 'user()', potentially leading to unauthorized data access or modification.

Reproduction

To reproduce this vulnerability, an authenticated user must access the product list module in the backend and edit product details. While editing, import a network image by entering a URL that includes SQL injection payloads, such as one that exploits the 'body' parameter. After saving the content, the injected SQL payload will be executed, demonstrating the SQL injection vulnerability.