CVE-2024-48307
Description
JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in JeecgBoot v3.7.1 via /onlDragDatasetHead/getTotalData allows attackers to execute arbitrary SQL.
Vulnerability
Overview CVE-2024-48307 is a SQL injection vulnerability in JeecgBoot v3.7.1, a low-code development platform. The issue resides in the /onlDragDatasetHead/getTotalData endpoint, which fails to properly sanitize user-supplied input in the fieldName parameter. This allows an attacker to inject arbitrary SQL commands into database queries [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted JSON payload to the endpoint. As demonstrated in a publicly disclosed proof-of-concept, the attacker can use concat(username,0x3a,password) in the fieldName to extract sensitive data from the sys_user table. No authentication is required, making this a critical risk [4].
Impact
Successful exploitation enables the attacker to execute arbitrary SQL queries, potentially leading to the extraction of all database contents, including user credentials and other sensitive information. This could result in full compromise of the application and underlying data.
Mitigation
The vulnerability was reported via a GitHub issue, and the latest version of JeecgBoot (3.9.2) likely contains a fix. Users are strongly advised to upgrade to the latest version or apply appropriate input validation and parameterized queries to the affected endpoint [1].
- GitHub - jeecgboot/JeecgBoot: AI 低代码平台,「低代码 + 零代码」双模式驱动:低代码一键生成前后端代码,零代码 5 分钟搭建系统,AI Skills 一句话画流程、设计表单、生成整套系统。内置 AI聊天、知识库、流程编排、MCP插件等,兼容主流大模型。引领「AI 生成 → 在线配置 → 代码生成 → 手工合并->AI修改」开发模式,消除 Java 项目 80% 的重复工作,提效而不失灵活。
- /drag/onlDragDatasetHead/getTotalData interface has an unauthorized SQL injection vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jeecgframework.boot:jeecg-boot-parentMaven | <= 3.7.1 | — |
Affected products
2- JeecgBoot/JeecgBootdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-mcw3-h5xg-r95mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-48307ghsaADVISORY
- github.com/jeecgboot/JeecgBoot/issues/7237ghsaWEB
News mentions
0No linked articles in our index yet.