CVE-2021-28890 Information

Description

J2eeFAST 2.2.1 allows remote attackers to perform SQL injection via the (1) compId parameter to fast/sys/user/list (2) deptId parameter to fast/sys/role/list or (3) roleId parameter to fast/sys/role/authUser/list related to the use of $ to join SQL statements.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://gitee.com/zhouhuanOGP/J2EEFAST/issues/I3BOFQ

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8