Impact
sql writing irregularities lead to SQL injection, the keyword blacklist for defending SQL injection is missing, you can use methods other than the blacklist for injection.
interface: /api/sys_msg/list/1/10
vulnerability parameter: orders
-
sql error after inserting single quotes

-
src/main/java/io/dataease/ext/ExtSysMsgMapper.xml uses '$' for SQL splicing in orderByClause, which leads to injection, and several other xml also use ' $' for splicing

-
View the keyword blacklist for defending against SQL injection in src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java

-
In the error reporting injection, you can also use functions such as GTID_SUBSET to bypass the blacklist, maintaining the blacklist is easy to have a leak

Affected versions: <= 1.18.4
Patches
The vulnerability has been fixed in v1.18.5.
Workarounds
It is recommended to upgrade the version to v1.18.5.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease
Email us at wei@fit2cloud.com
Impact
sql writing irregularities lead to SQL injection, the keyword blacklist for defending SQL injection is missing, you can use methods other than the blacklist for injection.
interface: /api/sys_msg/list/1/10
vulnerability parameter: orders
sql error after inserting single quotes

src/main/java/io/dataease/ext/ExtSysMsgMapper.xml uses '$' for SQL splicing in orderByClause, which leads to injection, and several other xml also use ' $' for splicing

View the keyword blacklist for defending against SQL injection in src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java

In the error reporting injection, you can also use functions such as GTID_SUBSET to bypass the blacklist, maintaining the blacklist is easy to have a leak

Affected versions: <= 1.18.4
Patches
The vulnerability has been fixed in v1.18.5.
Workarounds
It is recommended to upgrade the version to v1.18.5.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease
Email us at wei@fit2cloud.com