In src/java/com/example/acme/portal/resolver/core/DefaultResolverFactory.java on line 287, the DefaultResolverFactory class deleteResolverWithPrefix method is vulnerable to SQL injection (CWE 89) through the user controlled prefix parameter. It is possible to exploit this issue as a Contributor user through the Manage Resolvers functionality by adding a Resolver Prefix which contains a single quote (') followed by some SQL and then selecting Delete on the given resolver.
In
src/java/com/example/acme/portal/resolver/core/DefaultResolverFactory.javaon line 287, theDefaultResolverFactoryclassdeleteResolverWithPrefixmethod is vulnerable to SQL injection (CWE 89) through the user controlledprefixparameter. It is possible to exploit this issue as a Contributor user through the Manage Resolvers functionality by adding a Resolver Prefix which contains a single quote (') followed by some SQL and then selecting Delete on the given resolver.