Zhong Bang CRMEB Java list sql injection

Vulnerability

An SQL injection vulnerability exists in Zhong Bang CRMEB Java version 1.3.4. The flaw resides in the /api/admin/system/store/order/list endpoint, specifically within the keywords parameter. The backend code in com/zbkj/admin/controller/SystemWriteOffOrderController.java and com/zbkj/service/service/impl/StoreOrderServiceImpl.java concatenates the keywords value directly into an SQL query without proper sanitization or parameterization, leading to SQL injection [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint with malicious SQL payloads in the keywords parameter. No authentication is required, as the endpoint is accessible to any network user. The exploit has been publicly disclosed, increasing the risk of active attacks [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized access to sensitive data, including user credentials, order information, and other administrative data. The attacker may also be able to modify or delete database records, potentially compromising the entire application and its data integrity.

Mitigation

As of the publication date (2023-03-03), no official patch has been released for this vulnerability. The vendor should update the affected code to use parameterized queries or prepared statements to prevent SQL injection. In the absence of a fix, administrators should restrict network access to the admin API endpoints and implement input validation and sanitization for the keywords parameter. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.