YunaiV yudao-cloud SQL Injection Vulnerability in Tenant API

A SQL injection vulnerability has been identified in YunaiV yudao-cloud versions prior to 2026.01. The issue resides in the API endpoint '/admin-api/system/tenant/get-by-website', where the 'website' parameter can be manipulated to execute arbitrary SQL commands. This vulnerability allows for boolean-based blind SQL injection, enabling attackers to interact with the database. The flaw can be exploited remotely without authentication.

Impact

Exploitation of this vulnerability allows for boolean-based blind SQL injection, where an attacker can manipulate SQL queries to extract information from the database or potentially modify database contents.

Reproduction

To reproduce this vulnerability, send a GET request to the '/admin-api/system/tenant/get-by-website' endpoint with a crafted 'website' parameter that includes SQL injection payloads. The injection can be verified by observing the application's response or by using a tool like SQLMap to automate the exploitation.