Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
diskover-web v2.3.0 Community Edition is vulnerable to multiple boolean-based blind SQL injection flaws in its Elasticsearch configuration form. Unsanitized user input in POST parameters such as ES_PASS, ES_MAXSIZE, ES_TRANSLOGSIZE, ES_TIMEOUT, ES_USER, ES_HOST, ES_PORT, ES_SCROLLSIZE, ES_CHUNKSIZE and others can be crafted to inject arbitrary SQLite expressions wrapped in JSON functions. By exploiting these injection points, an attacker can infer or extract sensitive information from the underlying database without authentication. This issue stems from improper input validation and parameterization in the application's JSON-based query construction.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Diskover-web 安全漏洞
Vulnerability Description
Diskover-web是美国Diskover公司的一款文件系统索引工具。 Diskover-web v2.3.0版本存在安全漏洞,该漏洞源于Elasticsearch配置表单中多个POST参数清理不当,可能导致SQL注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A