VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 1, 2026

CVE-2026-10203

CVE-2026-10203

Description

OFCMS 1.1.3 contains an SQL injection vulnerability in the JSON query interface that allows remote attackers to extract sensitive database content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OFCMS 1.1.3 contains an SQL injection vulnerability in the JSON query interface that allows remote attackers to extract sensitive database content.

Vulnerability

The OFCMS 1.1.3 admin backend has an SQL injection vulnerability in the SystemParamController class, specifically in the query() method of /admin/system/param/query.json. The field parameter is directly concatenated into the ORDER BY clause of the SQL query without sanitization, as shown in the SQL mapping file param.sql [1]. An attacker can exploit this by sending a crafted HTTP request with malicious SQL in the field parameter.

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a POST or GET request to /admin/system/param/query.json with a malicious field parameter. The injection occurs in the ORDER BY clause, enabling blind SQL injection techniques (Boolean-based or time-based). The reference demonstrates extracting the admin user's password by constructing a query with conditional logic [1].

Impact

Successful exploitation allows the attacker to retrieve arbitrary data from the database, including user credentials and other sensitive information. The attack does not require prior authentication, leading to full information disclosure of the database contents.

Mitigation

As of the publication date, the project maintainers have not responded to the issue report, and no official fix has been released [1]. Users are advised to restrict access to the vulnerable endpoint via firewall or web application firewall rules, or to upgrade to a patched version if one becomes available. The vulnerability has been publicly disclosed and is listed as exploitable.

References
  1. OFCMS v1.1.3 contains an SQL injection vulnerability.

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper validation of the `field` parameter allows direct concatenation into the SQL `ORDER BY` clause, enabling blind SQL injection."

Attack vector

An authenticated attacker sends a POST request to `/ofcms_admin/admin/system/param/query.json` with a crafted `field` parameter containing SQL expressions. Because the parameter is unsanitized and placed directly into the `ORDER BY` clause, the attacker can perform blind SQL injection using conditional logic (e.g., `if(condition,1,(select 1 union select 2))`) to exfiltrate data character by character. The attack is remote and requires only a valid backend session cookie.

Affected code

The vulnerability is in `SystemParamController.java` at the `/admin/system/param/query.json` endpoint, specifically in the `query()` method. The `field` and `sort` parameters are concatenated directly into the `ORDER BY` clause of the SQL query defined in `param.sql`. No patch has been published by the vendor.

What the fix does

The advisory recommends filtering user input or implementing a whitelist of allowed sort fields. No official patch has been released; the project has not responded to the issue report. Without a fix, the `field` and `sort` parameters remain unsanitized and can be exploited for blind SQL injection.

Preconditions

  • authAttacker must have a valid backend session cookie (authenticated user).
  • networkAttacker must be able to send HTTP POST requests to the /admin/system/param/query.json endpoint.
  • inputThe field parameter is directly concatenated into the ORDER BY clause without sanitization.

Reproduction

The Gitee issue provides a full reproduction: log in to the backend, obtain the JSESSIONID cookie, then send a POST request with `sqlid=system.param.query&pageNum=1&pageSize=10&field=if(LeNgth((select/**/user_password/**/from/**/of_sys_user/**/where/**/user_id=1))=X,1,(select/**/1/**/union/**/select/**/2))&sort=asc`. Iterate X from 1 to 250; a 200 response indicates the correct password length. Then use `field=if((select/**/ascii(substr(user_password,X,1))/**/from/**/of_sys_user/**/where/**/user_id=1)=Y,1,(select/**/1/**/union/**/select/**/2))` to extract each character.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.