Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Phishing Club has Authenticated Blind SQL Injection in GetOrphaned Recipient Listing
Vulnerability Description
Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint constructs a raw SQL query and concatenates the user-controlled sortBy value directly into the ORDER BY clause without allowlist validation. Because unknown values are silently passed through `RemapOrderBy()`, an authenticated attacker can inject SQL expressions into the `ORDER BY` clause. This issue was patched in v1.30.2 by validating the order-by column against an allowlist and clearing unknown mappings.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
Phishing Club SQL注入漏洞
Vulnerability Description
Phishing Club是Phishing Club开源的一个钓鱼攻击模拟与演练平台。 Phishing Club 1.30.2之前版本存在SQL注入漏洞,该漏洞源于GetOrphaned接收者列表端点将用户控制的sortBy值直接拼接到ORDER BY子句中,可能导致SQL注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A