cbcvebase.
CVE-2024-48307
published 2024-10-31

CVE-2024-48307: JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData.

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
44.30%
98.6th percentile
JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData.

Affected

1 ranges
VendorProductVersion rangeFixed in
jeecgjeecg_boot

Detection & IOCsextracted from sources · hover to see the quote

url/jeecg-boot/drag/onlDragDatasetHead/getTotalData
path/onlDragDatasetHead/getTotalData
command{"tableName":"sys_user","compName":"test","condition":{"filter":{}},"config":{"assistValue":[],"assistType":[],"name":[{"fieldName":"concat(md5(999999999),0x3a,0x3a)","fieldType":"string"},{"fieldName":"id","fieldType":"string"}],"value":[{"fieldName":"id","fieldType":"1"}],"type":[]}}
otherYzhjNjA1OTk5ZjNkODM1MmQ3YmI3OTJjZjNmZGIyNWI6Og==
  • Exploit POST requests target the endpoint `/drag/onlDragDatasetHead/getTotalData` with a JSON body containing a SQL injection payload in the `fieldName` parameter (e.g., `concat(md5(...),0x3a,0x3a)`).
  • Successful exploitation is confirmed by the presence of the base64-encoded string `YzhjNjA1OTk5ZjNkODM1MmQ3YmI3OTJjZjNmZGIyNWI6Og==` (md5(999999999)::) in the HTTP response body, combined with a 200 status code and `application/json` content type.
  • The vulnerability is unauthenticated (PR:N); no session or authentication token is required to exploit the endpoint.
  • Asset discovery: use FOFA queries `icon_hash="-250963920"` or `icon_hash=1380908726` or `title="jeecg-boot"`, and Shodan query `http.favicon.hash:"1380908726"` to identify exposed JeecgBoot instances.
  • The attack path may be served under either `/jeecg-boot/` or `/` base paths; both should be monitored.
  • ·The Nuclei template targets JeecgBoot v3.7.1 specifically; the SQL injection canary uses `md5(999999999)` with hex-encoded delimiters `0x3a,0x3a` to produce a deterministic, detectable output.
  • ·The template uses `stop-at-first-match: true` with a `batteringram` attack across two base paths, meaning only the first successful path match is reported.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.