CVE-2026-10203
SQL Injection in OFCMS 1.1.3 JSON Query Interface
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ofsoft | ofcms | 1.1.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an SQL injection flaw in OFCMS version 1.1.3, specifically in the Query function of the SystemParamController.java file. It occurs because the 'field' parameter is not properly validated and is directly appended to the ORDER BY clause in SQL queries. Attackers can exploit this by injecting malicious SQL code through the 'field' parameter, enabling blind SQL injection attacks that use nested subqueries and Boolean logic.
The vulnerability allows attackers to send crafted payloads to extract sensitive data from the database, such as the admin user's password. The attack involves determining the password length and then brute-forcing each character to reconstruct the full password.
The root cause is the lack of input filtering and the absence of a whitelist for allowed fields in the ORDER BY clause, which leads to the direct inclusion of user-controlled input in SQL queries.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in OFCMS 1.1.3 allows attackers to extract sensitive data, including the admin user's password. This unauthorized access to sensitive information can lead to violations of data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and breaches.
Failure to mitigate this vulnerability may result in non-compliance with these standards due to inadequate data security controls, potentially leading to legal and financial consequences.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to sensitive data stored in the database. Specifically, attackers can extract confidential information such as the administrator's password.
Successful exploitation can lead to a full compromise of the administrative account, allowing attackers to control the system, manipulate data, and potentially escalate their privileges.
Since the attack can be launched remotely without user interaction, it increases the risk of widespread exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /admin/system/param/query.json interface for SQL injection through the 'field' parameter. Specifically, crafted payloads can be sent to the 'field' and 'sort' parameters to check if SQL injection is possible by observing responses to blind SQL injection attempts.
For detection, you can use tools like curl or sqlmap to send payloads targeting the 'field' parameter to see if the backend SQL query is vulnerable.
- Example curl command to test injection: curl -G 'http://<target>/admin/system/param/query.json' --data-urlencode "field=1' OR '1'='1" --data-urlencode "sort=asc"
- Using sqlmap: sqlmap -u "http://<target>/admin/system/param/query.json?field=fieldname&sort=asc" --param-del=field --batch
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include filtering user input data for the 'field' parameter and implementing a whitelist of allowed fields that can be used in SQL ORDER BY clauses.
Ensure that only predefined, safe fields are appended to SQL queries to prevent injection.
Additionally, monitor and restrict access to the vulnerable interface and consider applying any patches or updates once available.