CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47458
https://notcve.org/view.php?id=CVE-2023-47458
An issue in SpringBlade v.3.7.0 and before allows a remote attacker to escalate privileges via the lack of permissions control framework. Un problema en SpringBlade v.3.7.0 y anteriores permite a un atacante remoto escalar privilegios a través de la falta de un framework de permisos. • http://springblade.com https://gist.github.com/Mr-F0reigner/b05487f5ca52d17e214fffd6e1e0312a https://gitee.com/smallc/SpringBlade • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40788
https://notcve.org/view.php?id=CVE-2023-40788
SpringBlade <=V3.6.0 is vulnerable to Incorrect Access Control due to incorrect configuration in the default gateway resulting in unauthorized access to error logs SpringBlade <=V3.6.0 es vulnerable al Control de Acceso Incorrecto debido a una configuración incorrecta en la puerta de enlace predeterminada, lo que provoca un acceso no autorizado a los registros de errores • https://gist.github.com/kaliwin/89276ec7e97f9529c989bd77706c29c7 https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/blob/master/blade-gateway/src/main/java/org/springblade/gateway/provider/AuthProvider.java • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40787
https://notcve.org/view.php?id=CVE-2023-40787
In SpringBlade V3.6.0 when executing SQL query, the parameters submitted by the user are not wrapped in quotation marks, which leads to SQL injection. • https://gist.github.com/kaliwin/9d6cf58bb6ec06765cdf7b75e13ee460 https://sword.bladex.cn • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-27360
https://notcve.org/view.php?id=CVE-2022-27360
SpringBlade v3.2.0 and below was discovered to contain a SQL injection vulnerability via the component customSqlSegment. Se ha detectado que SpringBlade versiones v3.2.0 y anteriores, contienen una vulnerabilidad de inyección SQL por medio del componente customSqlSegment • https://forum.butian.net/share/1089 https://gitee.com/smallc/SpringBlade/blob/master/blade-service/blade-user/src/main/java/org/springblade/system/user/mapper/UserMapper.xml https://saber.bladex.vip/#/login • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-16165
https://notcve.org/view.php?id=CVE-2020-16165
The DAO/DTO implementation in SpringBlade through 2.7.1 allows SQL Injection in an ORDER BY clause. This is related to the /api/blade-log/api/list ascs and desc parameters. La implementación DAO/DTO en SpringBlade versiones hasta 2.7.1, permite una inyección de SQL en una cláusula ORDER BY. Esto está relacionado con los parámetros ascs y desc del archivo /api/blade-log/api/list • https://gitee.com/smallc/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •