ketr JEPaaS readAllPostil sql injection

A vulnerability was found in ketr JEPaaS up to 7.2.8. This impacts the function readAllPostil of the file /je/postil/postil/readAllPostil. Performing a manipulation of the argument keyWord results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

ketr JEPaaS SQL注入漏洞

ketr JEPaaS是中国凯特伟业（ketr）开源的一个低代码快速开发平台。 ketr JEPaaS 7.2.8及之前版本存在SQL注入漏洞，该漏洞源于对文件/je/postil/postil/readAllPostil中参数keyWord的错误操作，可能导致SQL注入。

N/A

N/A