CVE-2024-7099

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-7099

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7099.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-7099

Published

2024-10-13T21:15:10.957Z

Modified

2026-02-15T08:18:37.171511Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

netease-youdao/qanything version 1.4.1 contains a vulnerability where unsafe data obtained from user input is concatenated in SQL queries, leading to SQL injection. The affected functions include get_knowledge_base_name, from_status_to_status, delete_files, and get_file_by_status. An attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially stealing information from the database. The issue is fixed in version 1.4.2.

References

Affected packages

Git / github.com/netease-youdao/qanything

Affected ranges

Type: GIT
Repo: https://github.com/netease-youdao/qanything
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

e0181b7c14feeb4f6b38c1f193f3bf032ef429ef

Affected versions

v1.*

v1.1.0

v1.1.1

v1.2.0

v1.4.0-python

v1.4.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7099.json"