CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2019-3576

inxedu through 2018-12-24 has a SQL Injection vulnerability that can lead to information disclosure via the deleteFaveorite/ PATH_INFO. The vulnerable code location is com.inxedu.os.edu.controller.user.UserController#deleteFavorite (aka deleteFavorite in com/inxedu/os/edu/controller/user/UserController.java), where courseFavoritesService.deleteCourseFavoritesById is mishandled during use of MyBatis. NOTE: UserController.java has a spelling variation in an annotation: a @RequestMapping("/deleteFaveorite/{ids}") line followed by a "public ModelAndView deleteFavorite" line.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.003

EPSS Ranking 49.7%

CVSS Severity

CVSS v3 Score 9.8

CVSS v2 Score 7.5

References

https://gitee.com/inxeduopen/inxedu/issues/IQIIV
https://exchange.xforce.ibmcloud.com/vulnerabilities/155030
https://gitee.com/inxeduopen/inxedu/issues/IQIIV

Products affected by CVE-2019-3576

Inxedu Project » Inxedu » Version: 2018-12-24

cpe:2.3:a:inxedu_project:inxedu:2018-12-24

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2019-3576

Products

Pricing

Contact Us