Miggo Logo

CVE-2020-23262: SQL injection without credentials in ming-soft MCMS

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.49734%
Published
2/9/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
net.mingsoft:ms-mcmsmaven< 5.15.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key functions: 1) The MyBatis mapper IContentDao.xml uses unsafe ${orderBy} interpolation in SQL ORDER BY clause. 2) The controller MCmsAction.view() passes unvalidated user input to this query. Runtime detection would show these functions processing malicious 'orderby' values. The XML mapper's SQL construction and Java controller's parameter handling are both visible in stack traces when exploiting the /view.do endpoint with SQLi payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in min*-so*t M*MS v*.*, w**r* * m*li*ious us*r **n *xploit SQL inj**tion wit*out lo**in* in t*rou** /m*ms/vi*w.*o.

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *) T** My**tis m*pp*r `I*ont*nt**o.xml` us*s uns*** ${or**r*y} int*rpol*tion in SQL OR**R *Y *l*us*. *) T** *ontroll*r `M*ms**tion.vi*w()` p*ss*s unv*li**t** us*r input to t*is qu*ry. Runtim* **t**tion