CVE-2023-1454 — jeecg-boot SQL Injection vulnerability

Description

A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223299.

How to fix CVE-2023-1454

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2023-1454 being exploited?

Likely — EPSS is 93.4%, placing CVE-2023-1454 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, <= 3.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-1454
PATCHgithub.com/jeecgboot/jeecg-boot
WEBgithub.com/J0hnWalker/jeecg-boot-sqli
WEBvuldb.com/?ctiid.223299
WEBvuldb.com/?id.223299