CVE-2026-10193
SQL Injection in OFCMS up to 1.1.3
Publication date: 2026-05-31
Last updated on: 2026-05-31
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ofsoft | ofcms | to 1.1.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an SQL injection flaw found in OFCMS up to version 1.1.3, specifically in the ComnController component's query() method. It occurs because the 'field' parameter is not properly validated and is directly appended to the ORDER BY clause of SQL queries. When the 'sqlid' parameter is set to 'system.user.query', attackers can manipulate the 'field' and 'sort' parameters to inject malicious SQL code.
Exploitation involves sending crafted HTTP POST requests that include SQL injection payloads, allowing attackers to perform blind SQL injection attacks. For example, attackers can extract sensitive information such as the administrator's password by iteratively determining its length and then extracting each character using ASCII brute-forcing techniques.
The vulnerability is triggered remotely and has been publicly disclosed, with proof-of-concept exploits available.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to remotely execute SQL injection attacks on the affected OFCMS system. Through these attacks, an attacker can read sensitive data from the database, such as administrator passwords.
Successful exploitation can lead to unauthorized access to sensitive information, potentially compromising the entire system's security and integrity.
Because the attacker can extract critical credentials, this could lead to further attacks, privilege escalation, and unauthorized control over the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP POST requests targeting the 'system.user.query' sqlid parameter in OFCMS. Specifically, crafted requests that manipulate the 'field' and 'sort' parameters to inject SQL payloads may indicate exploitation attempts.
Detection can involve sending test HTTP POST requests with SQL injection payloads in the 'field' parameter to check if the system is vulnerable.
Example commands to test for the vulnerability include using curl to send crafted POST requests:
- curl -X POST -d "sqlid=system.user.query&field=1' OR '1'='1" http://target/ofcms-endpoint
- curl -X POST -d "sqlid=system.user.query&field=(SELECT user_password FROM users WHERE user_id=1)" http://target/ofcms-endpoint
Monitoring logs for repeated requests with unusual 'field' parameter values or unexpected SQL errors can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include filtering and validating all user input parameters, especially the 'field' and 'sort' parameters used in SQL queries.
Implement a whitelist of allowed fields that can be used in the ORDER BY clause to prevent arbitrary SQL injection.
Restrict access to the vulnerable endpoint and monitor for suspicious activity.
If possible, apply patches or updates from the vendor once available, or consider disabling the vulnerable functionality until a fix is released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in OFCMS allows attackers to read sensitive data such as administrator passwords by exploiting improper input validation in SQL queries.
Such unauthorized access to sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data against unauthorized access and breaches.
Therefore, this vulnerability negatively impacts compliance with these standards by exposing sensitive data to potential attackers.