CVE-2024-58352
Deferred Deferred - Pending Action

HQL Injection in Landray OA

Vulnerability report for CVE-2024-58352, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid POST parameter of the wechatLoginHelper.do endpoint. Attackers can exploit the lack of input sanitization in the string-concatenated filter expression passed to the Hibernate findList() call to extract sensitive data such as administrator password hashes and, with sufficient database privileges, perform file-write operations enabling remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-03-11 (UTC).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
landray oa *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-564 Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive data such as administrator passwords and user personal information.

If attackers gain sufficient database privileges, they can write malicious files to the server, potentially leading to remote code execution and full system compromise.

Such exploitation can result in loss of data confidentiality and integrity, and may allow attackers to control the affected system.

Executive Summary

CVE-2024-58352 is an unauthenticated Hibernate Query Language (HQL) injection vulnerability in Landray OA, specifically in the wechatLoginHelper.do endpoint.

Attackers can inject malicious HQL syntax into the uid POST parameter due to insufficient input sanitization in the string-concatenated filter expression passed to the Hibernate findList() call.

This allows unauthenticated attackers to query arbitrary Hibernate entity classes, potentially extracting sensitive data such as administrator password hashes.

With sufficient database privileges, attackers could also perform file-write operations, enabling remote code execution.

Detection Guidance

This vulnerability can be detected by monitoring for malicious POST requests to the /third/wechat/wechatLoginHelper.do endpoint, specifically those injecting suspicious HQL or SQL syntax into the uid parameter.

One detection method is to use FOFA search syntax to identify affected assets with the query: app="Landray-OA系统".

On your system or network, you can look for POST requests containing SQL injection payloads such as the use of updatexml or other SQL functions in the uid parameter.

  • Example command to detect suspicious POST requests in web server logs (Linux):
  • grep -i 'POST /third/wechat/wechatLoginHelper.do' /var/log/nginx/access.log | grep -i 'uid='
  • Use network traffic capture tools (e.g., tcpdump or Wireshark) to filter HTTP POST requests to the vulnerable endpoint and inspect the uid parameter for suspicious payloads.
Mitigation Strategies

Immediate mitigation steps include applying available patches or updates to the Landray OA system to fix the input sanitization issue in the wechatLoginHelper.do endpoint.

If patches are not yet available, implement web application firewall (WAF) rules to block or sanitize requests containing suspicious HQL or SQL injection patterns targeting the uid parameter.

Restrict access to the vulnerable endpoint by network segmentation or IP whitelisting to limit exposure.

Monitor logs and network traffic for exploitation attempts and respond accordingly.

Compliance Impact

This vulnerability allows unauthenticated attackers to extract sensitive data such as administrator password hashes and potentially other sensitive information from the database.

Exposure of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information.

Additionally, the possibility of remote code execution through file-write operations increases the risk of unauthorized access and data breaches, further impacting compliance with security standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart