kuaifan DooTask UsersController.php sql injection

A vulnerability was found in kuaifan DooTask up to 1.2.49. Affected by this vulnerability is an unknown functionality of the file app/Http/Controllers/Api/UsersController.php. The manipulation of the argument keys[department] results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

DooTask SQL注入漏洞

DooTask是kuaifan个人开发者的一个任务管理工具。 DooTask 1.2.49及之前版本存在SQL注入漏洞，该漏洞源于对文件app/Http/Controllers/Api/UsersController.php中参数keys[department]的错误操作，可能导致SQL注入攻击。

N/A

N/A