Skip to content

Commit a92bd1a

Browse files
committed
add: AVE-2023-0116
1 parent 2b0ee58 commit a92bd1a

1 file changed

Lines changed: 29 additions & 0 deletions

File tree

vulns/2023/AVE-2023-0116.toml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
[basic]
2+
description = "泛微 e-cology 9 协同办公系统的 /mobile/plugin/browser.jsp 接口存在 SQL 注入漏洞。该系统由泛微为中大型组织打造,集知识管理、人力管理、客户管理、流程管理等功能于一体。由于对用户输入数据缺乏充分校验,未经身份认证的远程攻击者可通过向 keyword 参数传入经过三层 URL 编码的恶意 SQL 语句,利用 UNION 注入方式获取数据库中的敏感信息,包括数据库版本、用户凭证等。该漏洞影响 e-cology V9 系列中低于 10.56 的版本。"
3+
published = "2023-04-06"
4+
remediation = "升级至泛微 e-cology V10.56 或更高版本。官方安全补丁下载中心(https://www.weaver.com.cn/cs/securityDownload.asp)已提供适用于 E9 产品的全量安全补丁(当前最新 v10.80)及基于 v10.56 的增量安全补丁包。升级前请备份应用与数据库,按照官方升级操作说明进行部署;同时建议在 WAF 层对 /mobile/plugin/browser.jsp 接口的 keyword 参数设置严格的输入过滤规则,拦截 SQL 注入特征请求。"
5+
score = 7.5
6+
severity = "HIGH"
7+
sources = ["nuclei"]
8+
title = "泛微 e-cology 9 协同办公系统 SQL 注入漏洞"
9+
updated = "2026-07-14"
10+
11+
[exploit]
12+
exp_urls = []
13+
poc_urls = []
14+
15+
[id]
16+
aliases = ["NUCLEI-HTTP-CNVD-2023-CNVD-2023-12632-YAML"]
17+
ave_id = "AVE-2023-0116"
18+
19+
[meta]
20+
collected_at = "2026-07-14T22:06:45.944548366+00:00"
21+
status = "completed"
22+
23+
[references]
24+
urls = [
25+
"https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cnvd/2023/CNVD-2023-12632.yaml",
26+
"https://blog.csdn.net/qq_50854662/article/details/129992329",
27+
"https://www.zhihu.com/tardis/zm/art/625931869?source_id=1003",
28+
"https://www.weaver.com.cn/cs/securityDownload.asp",
29+
]

0 commit comments

Comments
 (0)