CVE-2022-37207 JFinal CMS 5.1.0 is affected by: SQL Injection

when connecting through these interfaces. The following is an example of SQL injection through the Product.category() and Product.description() functions.

1  exec('select * from categories where category_id = ' 'select product.category_id from products where products.id = ' 'select description from products where products.id = ' 'products.category_id ');

When using the category() or description() functions, make sure to input valid data. If you do not input any data, then you will get an error. Also, make sure to input the data in the correct format.

SQL Injection using Order() Function

The following is an example of SQL injection through the Order() function.

1  SELECT product.name FROM products WHERE products.id = ' 'select product.category_id from categories where category_id = ' 'select order.order_id from orders where order.product_id = '' AND order.status = 1;

Timeline

Published on: 09/15/2022 15:15:00 UTC
Last modified on: 09/18/2022 21:56:00 UTC

References

• https://github.com/AgainstTheLight/someEXP_of_jfinal_cms/blob/main/jfinal_cms/sql10.md
• https://github.com/AgainstTheLight/CVE-2022-37207/blob/main/README.md
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37207