cbcvebase.
CVE-2023-38992
published 2023-07-28

CVE-2023-38992: jeecg-boot v3.5.1 was discovered to contain a SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData.

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
72.04%
99.4th percentile
jeecg-boot v3.5.1 was discovered to contain a SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData.

Affected

1 ranges
VendorProductVersion rangeFixed in
jeecgjeecg_boot

Detection & IOCsextracted from sources · hover to see the quote

url/sys/dict/loadTreeData?tableName=sys_user&text=password%20text,id&code=password&hasChildField=&converIsLeafVal=1&condition=&pid=admin&pidField=username
url/sys/dict/loadTreeData?tableName=sys_user+t&text=password,id&code=password&hasChildField=&converIsLeafVal=1&condition=&pid=admin&pidField=username
path/sys/dict/loadTreeData
  • Detect exploitation attempts by matching HTTP GET requests to /sys/dict/loadTreeData with SQL injection patterns in the tableName or text parameters (e.g., space-separated column names, table aliases with '+t').
  • Successful exploitation responses contain all of the following JSON fields: 'parentId":', 'key":', '{"title', and 'success":true' with Content-Type application/json and HTTP 200 status.
  • Identify Jeecg-Boot instances exposed on the internet using the favicon hash 1380908726 (Shodan: http.favicon.hash:1380908726 / FOFA: icon_hash=1380908726).
  • The vulnerable endpoint is unauthenticated (PR:N) — monitor for GET requests to /sys/dict/loadTreeData from unauthenticated sources, especially with tableName values containing spaces or SQL aliases.
  • ·The Nuclei template targets jeecg-boot v3.5.1 specifically; the path payload includes both root-path and 'jeecg-boot/' prefix variants to account for different deployment configurations.
  • ·The template uses stop-at-first-match, meaning only the first successful payload path is confirmed; both URL variants should be tested independently in manual assessments.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.