inxedu through 2018-12-24 has a SQL Injection vulnerability that can lead to information disclosure via the deleteFaveorite/ PATH_INFO. The vulnerable code location is com.inxedu.os.edu.controller.user.UserController#deleteFavorite (aka deleteFavorite in com/inxedu/os/edu/controller/user/UserController.java), where courseFavoritesService.deleteCourseFavoritesById is mishandled during use of MyBatis. NOTE: UserController.java has a spelling variation in an annotation: a @RequestMapping("/deleteFaveorite/{ids}") line followed by a "public ModelAndView deleteFavorite" line.
                
            References
                    | Link | Resource | 
|---|---|
| https://gitee.com/inxeduopen/inxedu/issues/IQIIV | Not Applicable Third Party Advisory | 
| https://exchange.xforce.ibmcloud.com/vulnerabilities/155030 | Third Party Advisory | 
| https://gitee.com/inxeduopen/inxedu/issues/IQIIV | Not Applicable Third Party Advisory | 
Configurations
                    History
                    21 Nov 2024, 04:42
| Type | Values Removed | Values Added | 
|---|---|---|
| References | () https://gitee.com/inxeduopen/inxedu/issues/IQIIV - Not Applicable, Third Party Advisory | 
Information
                Published : 2019-01-02 17:29
Updated : 2024-11-21 04:42
NVD link : CVE-2019-3576
Mitre link : CVE-2019-3576
CVE.ORG link : CVE-2019-3576
JSON object : View
Products Affected
                inxedu_project
- inxedu
CWE
                
                    
                        
                        CWE-89
                        
            Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
