Qihang WMS SQL Injection Vulnerability in SysUserMapper.xml

A SQL injection vulnerability has been identified in Qihang WMS version 4.0, specifically within the SysUserMapper.xml file. The issue arises from the datascope parameter, which can be manipulated to execute crafted SQL statements. This vulnerability potentially exposes sensitive database information, including Personally Identifiable Information (PII) of users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to database information, including PII, and in some cases, could allow attackers to gain database access rights or even DBA permissions.

Reproduction

The vulnerability can be reproduced by sending a request to the '/prod-api/system/user/list' endpoint. Include a 'params[dataScope]' parameter with a value that exploits the SQL injection, such as 'and length(database())=11'. This request should be made with an authorization token that has admin privileges.