CVE-2019-3576
Last modified
CVE-2019-3576 is a vulnerability of currently unknown severity. inxedu through 2018-12-24 has a SQL Injection vulnerability that can lead to information disclosure via the deleteFaveorite/ PATH_INFO. The vulnerable code location is com.inxedu.os.edu.controller.user.UserController#deleteFavorite (aka deleteFavorite in com/inxedu/os/edu/controller/user/UserController.java), where courseFavoritesService.deleteCourseFavoritesById is mishandled during use of MyBatis. EPSS estimates a 1.53% chance of exploitation in the next 30 days.
Description
inxedu through 2018-12-24 has a SQL Injection vulnerability that can lead to information disclosure via the deleteFaveorite/ PATH_INFO. The vulnerable code location is com.inxedu.os.edu.controller.user.UserController#deleteFavorite (aka deleteFavorite in com/inxedu/os/edu/controller/user/UserController.java), where courseFavoritesService.deleteCourseFavoritesById is mishandled during use of MyBatis. NOTE: UserController.java has a spelling variation in an annotation: a @RequestMapping("/deleteFaveorite/{ids}") line followed by a "public ModelAndView deleteFavorite" line.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Inxedu Project | Inxedu | <= 2018-12-24 |
References
- https://gitee.com/inxeduopen/inxedu/issues/IQIIVNot Applicable, Third Party Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/155030Third Party Advisory
- https://gitee.com/inxeduopen/inxedu/issues/IQIIVNot Applicable, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-3576?
How severe is CVE-2019-3576?
How do I fix CVE-2019-3576?
Are you affected by CVE-2019-3576?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST