XCKK Low-Code Development Platform SQL Injection Vulnerability in Address Controller

A SQL injection vulnerability has been identified in version 9.6 of the XCKK low-code development platform. The issue arises in the AddressController.java file, where the 'orderBy' parameter in the address/list endpoint is not properly sanitized. This lack of validation allows attackers to inject malicious SQL code, potentially leading to unauthorized database access, data manipulation, and leakage of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries. This could result in unauthorized data access, data modification or deletion, and extraction of sensitive information from the database.

Reproduction

To reproduce this vulnerability, an authenticated user can send a GET request to the '/oa/address/list' endpoint with a crafted 'orderBy' parameter that includes SQL injection payloads. The injected SQL code is executed by the database, allowing the attacker to manipulate the query and access or modify database information.

Remediation

To address this vulnerability, it is recommended to implement input validation and sanitization for the 'orderBy' parameter, ensuring that only safe, expected values are processed. Additionally, using prepared statements for database queries can help prevent SQL injection by separating SQL code from user input.