CVE-2023-50578: 
Java vulnerability analysis and mitigation

Mingsoft MCMS v5.2.9 contains a SQL injection vulnerability that was discovered in the categoryType parameter at /content/list.do endpoint. The vulnerability was disclosed on December 30, 2023, and has been assigned CVE-2023-50578. The vulnerability affects the front-end article list query interface of the MCMS content management system (Gitee Issue).

The vulnerability exists due to improper validation of the categoryType parameter in the /content/list.do endpoint. The CVSS v3.1 base score for this vulnerability is 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely without requiring privileges or user interaction, and can result in high impact to confidentiality, integrity, and availability (NVD).

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL commands on the underlying database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, or complete compromise of the database system (NVD).

Users are advised to upgrade to the latest version of MCMS. The vendor has acknowledged the vulnerability and recommended using the most recent version of the software (Gitee Issue).