Critical Vulnerability Information Affected Product Name: XCKK Low-Code Development Platform Version: V9.6 Vulnerable File Filename: OaNoticeController.java Vulnerability Type Type: SQL Injection Root Cause Cause: The parameter is not properly sanitized or validated, and is directly used in SQL queries. Impact Risk: Attackers can exploit this vulnerability to gain unauthorized database access, leak sensitive data, modify data, disrupt system control, or cause service outages, severely threatening system security and business continuity. Description Details: A critical SQL injection vulnerability has been detected in the OaNoticeController.java file of XCKK V9.6. This vulnerability arises from insufficient validation of user input for the parameter. This allows attackers to inject malicious SQL code, thereby manipulating SQL queries and performing unauthorized operations. Authentication Requirement Condition: This vulnerability can only be exploited by authenticated users, as the system checks for an active session before allowing access to the OaNoticeController.java page. Vulnerability Details and POC Location: parameter Payload: Recommended Remediation 1. Use Prepared Statements and Parameter Binding: Prepared statements effectively prevent SQL injection by separating SQL code from user input. 2. Implement Input Validation and Filtering: Strictly validate and filter user input to ensure it conforms to expected formats, blocking malicious input. 3. Minimize Database User Privileges: Ensure that database connection accounts have only the minimum necessary privileges, avoiding the use of high-privilege accounts (such as root or admin) for routine operations.