Description

netease-youdao/qanything version 1.4.1 contains a vulnerability where unsafe data obtained from user input is concatenated in SQL queries, leading to SQL injection. The affected functions include `get_knowledge_base_name`, `from_status_to_status`, `delete_files`, and `get_file_by_status`. An attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially stealing information from the database. The issue is fixed in version 1.4.2.

INFO

Published Date :

2024-10-13T21:09:53.816Z

Last Modified :

2024-10-15T14:56:00.675Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-7099 vulnerability.

Vendors Products
Netease
  • Qanything
Qanything
  • Qanything
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-7099.

URL Resource
https://github.com/netease-youdao/qanything/commit/a87354f09d93e95350fb45eb343dc75454387554 cve-icon cve-icon
https://huntr.com/bounties/bc98983e-06cc-4a4b-be01-67e5010cb2c1 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact