search

edp963 / davinci

Davinci is a DVsaaS (Data Visualization as a Service) Platform
https://edp963.github.io/davinci
Apache License 2.0
4.89k stars 1.82k forks source link

Sql Injection vulnerability in copyDisplay function #2320

Open ctfer-Stao opened 1 year ago

ctfer-Stao commented 1 year ago
image

edp.davinci.dao.DisplayMapper#selectMaxNameOrderByName $ is used as a splice character,which caused Sql Injection

selectMaxNameOrderByName function will be used in edp.davinci.service.impl.DisplayServiceImpl#copyDisplay

image image image