CVE-2026-10202
Description
OFCMS 1.1.3 has a SQL injection vulnerability in the SystemDictController's query interface, allowing remote blind SQL injection via the 'field' parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OFCMS 1.1.3 has a SQL injection vulnerability in the SystemDictController's query interface, allowing remote blind SQL injection via the 'field' parameter.
Vulnerability
The SQL injection vulnerability resides in the SystemDictController.java file of OFCMS 1.1.3, specifically in the /admin/system/dict/query.json endpoint. The query() method on line 28 uses Db.getSqlPara() with user-supplied field and sort parameters, which are directly concatenated into the ORDER BY clause of the SQL statement without proper sanitization. This allows an attacker to inject arbitrary SQL commands through the field parameter. [1]
Exploitation
An attacker can exploit this vulnerability remotely by sending an HTTP request to the /admin/system/dict/query.json endpoint with a crafted field parameter containing SQL injection payloads. No authentication is specified as required, and the exploit is publicly available. The attack can be performed as a blind SQL injection, using boolean-based or time-based techniques to extract data. [1]
Impact
Successful exploitation allows an attacker to perform blind SQL injection, enabling extraction of sensitive information from the database. For example, an attacker can read user credentials, such as the admin user's password hash, as demonstrated in the reference. This can lead to further compromise of the system. [1]
Mitigation
As of the latest disclosure, the vendor has not responded to the issue report, and no patch or official fix is available. Users are advised to restrict network access to the admin interface, implement a web application firewall (WAF) to filter malicious inputs, or manually validate and sanitize the field parameter in the affected code until an official update is released. [1]
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `field` parameter is directly concatenated into the SQL `ORDER BY` clause without validation, enabling blind SQL injection."
Attack vector
An authenticated attacker sends a POST request to `/ofcms_admin/admin/system/dict/query.json` with a crafted `field` parameter. Because the `field` value is appended directly to the `ORDER BY` clause without sanitization, the attacker can inject SQL expressions such as conditional subqueries. By observing HTTP response differences (200 vs. 500), the attacker performs blind SQL injection to extract sensitive data, such as the admin user's password hash. [ref_id=1]
Affected code
The vulnerability resides in the `query()` method of `SystemDictController.java` (`/ofcms-admin/src/main/java/com/ofsoft/cms/admin/controller/system/SystemDictController.java`). The `field` parameter is passed unsanitized into the SQL query defined in `dict.sql` (`/ofcms-admin/src/main/resources/conf/sql/system/dict.sql`), where it is directly concatenated into the `ORDER BY` clause.
What the fix does
No patch has been published by the vendor. The advisory recommends filtering user input and implementing a whitelist of allowed sortable fields so that only predefined column names are appended to the SQL statement. Without such validation, the `field` parameter remains a direct injection vector into the `ORDER BY` clause. [ref_id=1]
Preconditions
- authAttacker must have valid backend authentication (a logged-in session cookie).
- networkThe application must be reachable over the network.
- inputThe `field` parameter is attacker-controlled and unsanitized.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.