Home

Description

A SQL injection vulnerability exists in the St. Joe ERP system ("圣乔ERP系统") that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, enabling direct manipulation of the backend database. Successful exploitation may result in unauthorized data access, modification of records, or limited disruption of service. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-04-14 UTC.

PUBLISHED Reserved 2025-08-25 | Published 2025-08-27 | Updated 2025-08-28 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unknown

*
affected

Credits

0xSecl finder

References

blog.csdn.net/qq_41904294/article/details/144240396 technical-description exploit

github.com/...ingleRowQueryConvertor存在SQL注入漏洞.md exploit

en.fofa.info/result?qbase64=5Zyj5LmURVJQ57O757uf product

www.vulncheck.com/advisories/st-joes-erp-system-sqli third-party-advisory

cve.org (CVE-2024-13979)

nvd.nist.gov (CVE-2024-13979)

Download JSON