CVE-2023-25223
Description
CRMEB <=1.3.4 contains a SQL injection vulnerability in the /api/admin/user/list endpoint via the 'level' parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CRMEB <=1.3.4 contains a SQL injection vulnerability in the /api/admin/user/list endpoint via the 'level' parameter.
Vulnerability
CRMEB versions up to 1.3.4 are vulnerable to SQL injection in the /api/admin/user/list endpoint. The level parameter is directly concatenated into SQL queries using ${level} in the MyBatis mapper UserMapper.xml without sanitization, allowing an authenticated attacker to inject arbitrary SQL [1].
Exploitation
An attacker must first authenticate as an administrator. By intercepting a GET request to /api/admin/user/list via Burp Suite, the attacker can insert a SQL injection payload (e.g., 1 and extractvalue(1,CONCAT(1,user()))) in the level parameter. The server then executes the malicious SQL, returning results in error messages [1].
Impact
Successful exploitation allows an attacker to extract sensitive data from the database through error-based SQL injection, potentially compromising user credentials and other confidential information [1].
Mitigation
No official patch has been disclosed as of the reference publication date. Users should monitor the vendor's repository for updates or apply input validation on the level parameter as a workaround [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.