CVE-2021-46383: 
Java vulnerability analysis and mitigation

MCMS version 5.2.5 and earlier contains a SQL injection vulnerability in the net.mingsoft.mdiy.action.web.DictAction#list component. The vulnerability allows remote attackers to obtain sensitive information from the database through the orderBy parameter in the /mdiy/dict/list endpoint. The vulnerability was discovered and reported in January 2022 (Gitee Issue).

The vulnerability exists in the /mdiy/dict/list route where the orderBy parameter value is directly concatenated into an SQL query without any sanitization or validation. This allows an attacker to inject malicious SQL commands that can be executed by the database. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) (NVD).

A successful exploitation of this vulnerability could allow attackers to extract sensitive information from the database through SQL injection attacks. The vulnerability provides unauthorized access to database contents, potentially exposing confidential data (NVD).

The vulnerability was fixed in version 5.2.6. Users are advised to upgrade to this version or later to mitigate the risk. For systems that cannot be immediately upgraded, implementing proper input validation and SQL query parameterization at the web application firewall level may help mitigate the risk (NVD).