CVE-2026-38808
Description
SQL Injection vulnerability in uzy-ssm-mall v1.1.0 allows a remote attacker to obtain sensitive information via the ProductMapper.xml and /OrderUtil.java components
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in uzy-ssm-mall v1.1.0 allows remote unauthenticated attackers to read sensitive data via a crafted orderBy parameter that bypasses input validation.
Vulnerability
The uzy-ssm-mall v1.1.0 application contains a SQL injection vulnerability in multiple controllers that accept an external orderBy parameter and pass it into OrderUtil. The value is then concatenated directly into ORDER BY clauses in MyBatis XML mappers using ${orderUtil.orderBy} without any whitelist or sanitization. Affected components include ProductMapper.xml (lines 94, 138), UserMapper.xml (line 88), ProductOrderMapper.xml (line 111), and the controllers ForeProductListController.java, AdminUserController.java, AdminOrderController.java, and AdminProductController.java. The flaw is triggered via endpoints such as /product/{index}/{count} and several admin-facing routes. [1]
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP GET or POST request to any vulnerable endpoint that accepts an orderBy parameter. No authentication or special privileges are required. The attacker supplies SQL metacharacters (e.g., a single quote, comment sequences, or UNION payloads) within the orderBy value, which are injected directly into the SQL query without escaping. The taint flow originates in the controller, passes through OrderUtil.java, and ends at the MyBatis ${} interpolation point. [1]
Impact
Successful exploitation allows the attacker to read arbitrary data from the MySQL database, including potentially sensitive user credentials, order details, and other application secrets. The injection occurs in an ORDER BY clause, but well-known techniques (e.g., time-based or error-based reflection) can be used to extract data. The attacker gains information disclosure beyond the intended scope; no file write or remote code execution has been demonstrated. [1]
Mitigation
As of the publication date 2026-05-27, no patched version has been released. The vendor has not provided an official fix. Users should upgrade to a future patched release if available, or apply a workaround by replacing ${orderUtil.orderBy} with #{orderBy} and implementing strict whitelist validation for all sort parameters. The project is marked as end-of-life by some sources; in that case, migrating to an alternative system is recommended. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-controlled orderBy input is concatenated directly into a MyBatis ORDER BY clause via ${} interpolation without any whitelist or sanitization."
Attack vector
An attacker sends an HTTP GET request to any of the four identified endpoints (e.g., `/mall/product/0/20`) with a malicious `orderBy` parameter. The value flows from the controller into `OrderUtil`, then directly into a MyBatis `${}` interpolation inside an `ORDER BY` clause without any whitelist or sanitization [ref_id=1]. This allows the attacker to break out of the intended sort-field semantics and inject arbitrary SQL fragments. The frontend product endpoint requires no authentication, while the admin endpoints require a valid administrator session [ref_id=1]. The researcher demonstrated time-based blind injection using `sqlmap`, confirming that the injection is exploitable [ref_id=1].
Affected code
The vulnerability spans multiple layers. Controllers such as `ForeProductListController.java` (lines 113, 119, 135), `AdminUserController.java:129`, `AdminOrderController.java:143`, and `AdminProductController.java:447` accept an `orderBy` HTTP parameter. This value is wrapped into `OrderUtil.java` (lines 5, 15) and then concatenated via `${orderUtil.orderBy}` in MyBatis mapper XML files — `ProductMapper.xml` (lines 94, 138), `UserMapper.xml:88`, and `ProductOrderMapper.xml:111` [ref_id=1].
What the fix does
No patch is published in the bundle. The advisory recommends three remediation steps: do not concatenate user-controlled input into SQL statements with `${}`; use safe parameterization or strict server-side mapping instead; enforce a whitelist of allowed sortable field names for the `orderBy` parameter; and reject unexpected SQL keywords, expressions, or special characters in sorting-related input before it reaches the data access layer [ref_id=1].
Preconditions
- configThe application must be running uzy-ssm-mall v1.1.0
- authFor the frontend endpoint (/mall/product/0/20), no authentication is required
- authFor admin endpoints, a valid administrator session is required
- networkThe attacker must be able to send HTTP GET requests to the application
- inputThe orderBy query parameter must be accepted and processed by the application
Reproduction
1. Set up the project per the instructions: import `documents/db/uzymall.sql` into MySQL 5.7, configure `application.yml`, and start the Spring Boot application. 2. Run sqlmap against the unauthenticated endpoint: `sqlmap.py -u http://localhost:8010/mall/product/0/20?orderBy=product_sale_price --batch`. 3. sqlmap will confirm time-based blind injection. 4. Alternatively, send the crafted request: `GET /mall/product/0/20?orderBy=product_sale_price+AND+%28SELECT+9848+FROM+%28SELECT%28SLEEP%2810%29%29%29odKz%29` with a valid session cookie [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.