CVE-2026-5328
SQL Injection in ProductItemDao's ProductIndexServiceImpl Function
Publication date: 2026-04-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shsuishang | modulithshop | to 829bac71f507e84684c782b9b062b8bf3b5585d6 (inc) |
| shsuishang | modulithshop | to 829bac71f507e84684c782b9b062b8bf3b5585d6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection issue found in the shsuishang modulithshop system, specifically in the listItem function of the ProductItemDao interface. It arises from unsafe handling of the sorting parameters `sidx` and `sort` which are directly used in SQL ORDER BY clauses without proper validation or sanitization.
Attackers can manipulate these parameters remotely to inject malicious SQL code, potentially compromising the database. The vulnerability exists because the parameters are interpolated directly into SQL statements using `${}` syntax in MyBatis XML mapper files, allowing injection of arbitrary SQL.
A patch was introduced that sanitizes the `sidx` parameter by removing dangerous characters and validating it against the actual fields of the ProductItem entity, and restricts the `sort` parameter to only 'ASC' or 'DESC'. This prevents attackers from injecting unauthorized SQL commands through these parameters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the ProductItemDao interface allows unauthorized attackers to extract sensitive data such as product details, user information, system configuration, administrative credentials, and potentially sensitive business and financial data.
Such unauthorized data access and potential data manipulation could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Therefore, this vulnerability poses a risk to compliance with these standards by exposing sensitive data to attackers and potentially enabling data breaches.
How can this vulnerability impact me? :
Exploitation of this SQL injection vulnerability can lead to serious impacts including unauthorized extraction of sensitive data such as product details (SKU, pricing, inventory), user information, system configuration, and administrative credentials.
Attackers may also gain the ability to disclose database structure information, manipulate data (INSERT, UPDATE, DELETE), and potentially achieve full database compromise depending on the database configuration.
The vulnerability can be exploited remotely without authentication via specially crafted requests to the frontend endpoint, making it a significant risk for data breaches and system integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and testing the affected GET endpoint `/front/pt/product/listItem` for SQL injection attempts through the `sidx` and `sort` query parameters.
One way to detect exploitation attempts is to send crafted requests that include SQL injection payloads in the `sidx` parameter and observe the responses or errors returned by the system.
An example command using curl to test for the vulnerability is:
- curl -v "http://<target-host>/front/pt/product/listItem?sidx=item_id,(select updatexml(1,concat(0x7e,@@version_comment,0x7e),1))&sort=desc"
If the response contains database error messages or unusual output, it indicates the presence of SQL injection vulnerability.
Additionally, network intrusion detection systems (NIDS) can be configured to look for suspicious patterns in HTTP requests targeting this endpoint with SQL keywords or special characters in the `sidx` or `sort` parameters.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch identified by commit 42bcb9463425d1be906c3b290cf29885eb5a2324 which sanitizes and validates the `sidx` parameter in the `listItem` method.
- Sanitize the `sidx` parameter by removing dangerous characters such as backticks (`).
- Validate the `sidx` parameter against a whitelist of allowed column names corresponding to the `ProductItem` entity fields.
- Restrict the `sort` parameter strictly to either 'ASC' or 'DESC' values.
- Replace unsafe string interpolation (`${}`) in MyBatis XML mappers with parameter binding (`#{}`) to prevent direct injection.
- Conduct a thorough code review to identify and fix similar unsafe SQL interpolation patterns in other parts of the codebase.
If immediate patching is not possible, consider implementing web application firewall (WAF) rules to block suspicious requests containing SQL injection patterns targeting the vulnerable parameters.