CVE-2026-10204
Description
OFCMS 1.1.3 SQL injection in SysUserController via query() allows remote attackers to extract database contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OFCMS 1.1.3 SQL injection in SysUserController via query() allows remote attackers to extract database contents.
Vulnerability
A SQL injection vulnerability exists in OFCMS 1.1.3 within the /admin/system/user/getData.json endpoint. The query() method in SysUserController.java directly concatenates the field parameter into the ORDER BY clause of the SQL query without proper sanitization. This allows an attacker to inject arbitrary SQL statements. The vulnerability is present in the field and sort parameters. The affected code path is reachable without authentication, as the admin interface is typically exposed to network users. [1]
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the /admin/system/user/getData.json endpoint with a malicious field parameter containing SQL expressions, such as nested subqueries and boolean logic. The attacker does not require any special privileges or user interaction. The exploit is publicly available and can be performed remotely. [1]
Impact
Successful exploitation allows an attacker to perform blind SQL injection, enabling them to extract arbitrary data from the database, including administrator credentials (e.g., user_password). This could lead to full compromise of the OFCMS application and the underlying data. [1]
Mitigation
As of the publication date, the project has not responded to the issue and no patch is available. Users should restrict network access to the admin interface (e.g., via firewall or VPN) and monitor for suspicious requests. If possible, disable the /admin/system/user/getData.json endpoint until a fix is released. [1]
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `field` parameter is directly concatenated into the SQL `ORDER BY` clause without validation or sanitization, allowing blind SQL injection."
Attack vector
An attacker must first authenticate to the OFCMS backend to obtain a valid session cookie. With that cookie, they send a POST request to `/ofcms_admin/admin/system/user/getData.json` with a crafted `field` parameter containing SQL expressions (e.g., `if(...)` with subqueries). The server appends this value directly into the `ORDER BY` clause, enabling blind SQL injection. By observing HTTP 200 vs. 500 responses, the attacker can exfiltrate data character by character. [ref_id=1]
Affected code
The vulnerability resides in `SysUserController.java` at the `/admin/system/user/getData.json` endpoint. The `field` parameter is passed unsanitized into the SQL query defined in `user.sql`, where it is directly concatenated into the `ORDER BY` clause. [ref_id=1]
What the fix does
No patch has been published by the project maintainer. The advisory recommends two mitigations: (1) filter or validate all user-supplied input before using it in SQL queries, and (2) implement a whitelist of allowed sort columns so that only predefined field names can be appended to the `ORDER BY` clause. [ref_id=1]
Preconditions
- authAttacker must have a valid authenticated session (backend login cookie).
- networkThe application must be reachable over the network.
- inputThe `field` parameter is attacker-controlled and unsanitized.
Reproduction
The Gitee issue provides a full reproduction: log in to the backend, capture the JSESSIONID cookie, then send a POST to `/ofcms_admin/admin/system/user/getData.json` with `field=if(LeNgth((select/**/user_password/**/from/**/of_sys_user/**/where/**/user_id=1))=X,1,(select/**/1/**/union/**/select/**/2))` and `sort=asc`. Iterate X from 1 to 250; a 200 response indicates the correct password length. Then use `field=if((select/**/ascii(substr(user_password,X,1))/**/from/**/of_sys_user/**/where/**/user_id=1)=Y,1,(select/**/1/**/union/**/select/**/2))` to brute-force each character. [ref_id=1]
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.