Lvzhou CMS SQL Injection Vulnerability in Content Service

A SQL injection vulnerability has been identified in Lvzhou CMS versions prior to the commit on September 22, 2025. The issue arises in the ContentService 'findPage' method, where the 'title' parameter is directly concatenated into a SQL query without proper sanitization or the use of prepared statements. This vulnerability allows attackers to manipulate the SQL query and potentially access sensitive data from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to the '/admin/content/data' endpoint with a crafted 'title' parameter. The value should be designed to exploit the SQL query handling in the 'findPage' method of the ContentService.

Remediation

It is recommended to filter the 'title' parameter thoroughly and to use prepared statements for SQL queries to prevent direct concatenation of user input into SQL commands.