好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。首先,我得仔细阅读用户提供的文章内容。 文章标题是CVE-2026-30655,涉及esiclivre软件中的SQL注入漏洞。摘要部分提到,攻击者可以通过POST参数cpfcnpj注入SQL代码,导致未经授权的信息泄露。受影响的版本是v0.2.2及更早版本。技术细节中提到问题出在Solicitante::resetaSenha()函数中,没有使用参数化查询。影响方面,可能导致敏感信息泄露。修复建议包括使用预处理语句、验证和清理输入,并暂时限制访问密码重置端点。 接下来,我需要将这些关键点浓缩到100字以内。首先确定主要信息:漏洞名称、位置、攻击方式、影响、修复建议和发现者。 然后,组织语言,确保简洁明了。比如:“esiclivre存在SQL注入漏洞,攻击者通过cpfcnpj参数注入SQL代码,可能导致敏感信息泄露。建议使用预处理语句修复。” 这样大约40字左右。 检查是否有遗漏的重要信息:发现者Bryan Romero是否需要提及?根据用户要求,不需要特别提到发现者。所以可以省略。 最后确认字数在限制内,并且表达清晰。 </think> esiclivre存在SQL注入漏洞,攻击者通过`cpfcnpj`参数注入SQL代码,可能导致敏感信息泄露。建议使用预处理语句修复。 2026-3-26 08:58:54 Author: cxsecurity.com(查看原文) 阅读量:6 收藏
# CVE-2026-30655 — SQL Injection in esiclivre (password reset) ## Summary A SQL injection vulnerability exists in the password reset endpoint of esiclivre. An unauthenticated attacker can inject SQL via the `cpfcnpj` POST parameter, potentially resulting in unauthorized access to sensitive information. ## Affected Project - Repository: https://github.com/esiclivre/esiclivre - Affected versions: v0.2.2 and earlier - Affected commit: up to and including 0a72b4c9ab89244ec3bd3d7fa0b765850cc9afd7 ## Technical Details - Endpoint: `POST /reset/index.php` - Parameter: `cpfcnpj` - Root cause: user input is concatenated into a SQL query in `Solicitante::resetaSenha()` without parameterization. ## Impact - Potential unauthorized access to sensitive database information (information disclosure). ## Mitigation / Fix No upstream fix is available at the time of publication. Recommended remediation: - Use parameterized queries (prepared statements) for database access. - Validate and sanitize user input. - Consider temporarily restricting access to the password reset endpoint until patched. ## Timeline - 2025-04-12: Reported to vendor/maintainers - 2026-02-09: CVE request submitted - 2026-03-23: CVE-2026-30655 assigned ## Credits Discovered by Bryan Romero (https://github.com/brynax).
Thanks for you comment!
Your message is in quarantine 48 hours.
如有侵权请联系:admin#unsafe.sh