Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenSupports 4.11.0 — SQL Injection
Vulnerability Description
The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user (level ≥ 1) can inject SQL to alter the filter logic, effectively bypassing department scoping and disclosing tickets beyond their intended access.This issue affects OpenSupports: 4.11.0.
CVSS Information
N/A
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
OpenSupports SQL注入漏洞
Vulnerability Description
OpenSupports是OpenSupports开源的一款简单的开源的票务平台。 OpenSupports 4.11.0版本存在SQL注入漏洞,该漏洞源于未使用参数绑定直接将用户控制参数departmentId拼接到SQL WHERE子句,可能导致SQL注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A