inxedu through 2018-12-24 has a SQL Injection vulnerability that can lead to information disclosure via the deleteFaveorite/ PATH_INFO. The vulnerable code location is (aka deleteFavorite in com/inxedu/os/edu/controller/user/, where courseFavoritesService.deleteCourseFavoritesById is mishandled during use of MyBatis. NOTE: has a spelling variation in an annotation: a @RequestMapping("/deleteFaveorite/{ids}") line followed by a "public ModelAndView deleteFavorite" line.

Source: CVE-2019-3576

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다

Time limit is exhausted. Please reload the CAPTCHA.