Miggo Logo
Miggo Vulnerability Database
CVE-2020-20913

CVE-2020-20913: Ming-Soft MCMS vulnerable to SQL injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-20913
GHSA ID
GHSA-hx8p-9m48-g76r
EPSS Score
0.87285%
CWE
CWE-89
Published
4/4/2023
Updated
4/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
net.mingsoft:ms-mcmsmaven< 5.15.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability report explicitly shows the search handler method at '/{searchId}/search' endpoint processes the 'basic_title' parameter. The provided code snippet demonstrates direct use of request parameters (including basic_title) for database operations without visible sanitization. SQLMap results confirm successful injection through this parameter. The controller method's handling of raw user input matches the CWE-89 SQL injection pattern of unfiltered parameter usage in SQL commands.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

SQL Inj**tion vuln*r**ility *oun* in Min*-So*t M*MS v.*.*.* *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* `**si*_titl*` p*r*m*t*r. T*is issu* is r*solv** in v*.*.

Reasoning

T** vuln*r**ility r*port *xpli*itly s*ows t** s**r** **n*l*r m*t*o* *t '/{s**r**I*}/s**r**' *n*point pro**ss*s t** '**si*_titl*' p*r*m*t*r. T** provi*** *o** snipp*t **monstr*t*s *ir**t us* o* r*qu*st p*r*m*t*rs (in*lu*in* **si*_titl*) *or **t***s* o