Sixun Shanghui Group Business Management System
Monthly
SQL injection in the Sixun Shanghui Group Business Management System 10 exposes the /api/Dinner/PayConfig endpoint to unauthenticated remote attackers who can manipulate the tableno parameter to execute arbitrary SQL queries against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position - only access to the endpoint. A public proof-of-concept exploit is available via a Feishu document, though EPSS remains very low at 0.03% (8th percentile), and no patch has been released as the vendor was unresponsive to coordinated disclosure.
SQL injection in the Sixun Shanghui Group Business Management System 10 exposes the /api/Dinner/PayConfig endpoint to unauthenticated remote attackers who can manipulate the tableno parameter to execute arbitrary SQL queries against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position - only access to the endpoint. A public proof-of-concept exploit is available via a Feishu document, though EPSS remains very low at 0.03% (8th percentile), and no patch has been released as the vendor was unresponsive to coordinated disclosure.