BradWenqiang HR Background Management register selectAll sql injection
Description
A vulnerability was found in BradWenqiang HR 2.0. It has been rated as critical. Affected by this issue is the function selectAll of the file /bishe/register of the component Background Management. The manipulation of the argument userName leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-256886 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in BradWenqiang HR 2.0's Background Management user query function allows remote attackers to execute arbitrary SQL commands via the userName parameter.
Vulnerability
A critical SQL injection vulnerability exists in BradWenqiang HR version 2.0. The flaw resides in the selectAll function of the file /bishe/register within the Background Management component. The userName parameter is directly concatenated into SQL queries without proper sanitization. The call chain involves the selectAll() method in the controller, which invokes the service layer's selectAll() method, which in turn calls the mapper layer's selectAllListPage() method where the vulnerable SQL statement is executed [1].
Exploitation
An attacker can exploit this vulnerability remotely without authentication by sending a crafted HTTP request to the route r=bishe/register?userName= with a malicious SQL payload in the userName parameter. Tools like sqlmap can automate the exploitation to extract database contents [1].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands, leading to unauthorized access to the underlying database. This can result in disclosure, modification, or deletion of sensitive data, potentially compromising the entire application and its data [1].
Mitigation
As of the publication date, the vendor has not responded to the disclosure and no official patch is available. Users should implement input validation and parameterized queries to mitigate the risk. Additionally, restricting network access to the Background Management interface can reduce exposure [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =2.0
- BradWenqiang/HRv5Range: 2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/zuizui35/cve/blob/main/cve.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.