CVE-2026-7727
SQL Injection in Shandong Hoteam PDM System
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shandong_hoteam_software | pdm_product_data_management_system | to 8.3.9 (inc) |
| shandong_hoteam_software | pdm_product_data_management_system | From 8.3.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL injection via the SortOrder argument in the GetQueryMachineGridOnePageData function of the /Base/BaseService.asmx/DataService endpoint in Shandong Hoteam Software PDM Product Data Management System up to version 8.3.9.
To detect this vulnerability on your network or system, you can monitor HTTP requests targeting the /Base/BaseService.asmx/DataService endpoint and inspect the SortOrder parameter for suspicious or malformed input that could indicate an SQL injection attempt.
A simple command to test for this vulnerability using curl might be:
- curl -X POST "http://[target]/Base/BaseService.asmx/DataService" -d "SortOrder=' OR '1'='1" -H "Content-Type: application/x-www-form-urlencoded"
You can also use network monitoring tools or web application firewalls to detect unusual patterns or payloads in requests to this endpoint.
Upgrading to version 8.3.10 or later is recommended to mitigate this issue.
Can you explain this vulnerability to me?
This vulnerability exists in the Shandong Hoteam Software PDM Product Data Management System up to version 8.3.9. It affects the function GetQueryMachineGridOnePageData in the file /Base/BaseService.asmx/DataService. The issue is caused by manipulation of the argument SortOrder, which leads to an SQL injection vulnerability. This means an attacker can remotely exploit this flaw by injecting malicious SQL code through the SortOrder parameter.
Upgrading to version 8.3.10 mitigates this vulnerability.
How can this vulnerability impact me? :
This SQL injection vulnerability can allow a remote attacker to manipulate the database queries executed by the affected system. Potential impacts include unauthorized access to sensitive data, data modification, data deletion, or disruption of service. Because the attack requires no privileges or user interaction, it poses a significant risk to the confidentiality, integrity, and availability of the system's data.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the affected Shandong Hoteam Software PDM Product Data Management System to version 8.3.10.