CVE-2024-46535

Vulnerability

Jepaas v7.2.8 contains a SQL injection vulnerability in the orderSQL parameter of the /homePortal/loadUserMsg endpoint. The parameter is not properly sanitized before being used in database queries, allowing an attacker to inject arbitrary SQL commands. This issue is reported in reference [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint with malicious SQL code in the orderSQL parameter. No authentication is required, and the attack can be performed remotely over the network. The injection is triggered when the application processes the request without proper input validation or parameterized queries [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized reading or modification of sensitive data, including user credentials and other confidential information. In some cases, further privilege escalation or server compromise may be possible depending on database permissions [1].

Mitigation

As of the publication date, no official fix has been released for Jepaas v7.2.8. Users should sanitize all input to the orderSQL parameter, use parameterized queries, and apply the principle of least privilege to the database connection until a patch is provided. Monitor the official repository for updates [1].