CVE-2024-7099
CRITICALqanything 1.4.1 - SQL Injection via Unsafe User Input Concatenation
Title source: llmDescription
netease-youdao/qanything version 1.4.1 contains a vulnerability where unsafe data obtained from user input is concatenated in SQL queries, leading to SQL injection. The affected functions include `get_knowledge_base_name`, `from_status_to_status`, `delete_files`, and `get_file_by_status`. An attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially stealing information from the database. The issue is fixed in version 1.4.2.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/bc98983e-06cc-4a4b-be01-67e5010cb2c1
Scores
CVSS v3
9.8
EPSS
0.0061
EPSS Percentile
44.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
qanything/qanything
1.4.1
Published
Oct 13, 2024
Tracked Since
Feb 18, 2026